beautypg.com

Configuring tcp proxy – H3C Technologies H3C SecBlade LB Cards User Manual

Page 260

background image

249

Step Command

Remarks

2.

Enter VD system view.

switchto vd vd-name

Required for a non-default VD.

3.

Enter attack protection

policy view.

attack-defense policy
policy-number

N/A

4.

Enable DNS flood attack
protection.

defense dns-flood enable

Disabled by default.

5.

Configure the global action

and silence thresholds for
DNS flood attack protection.

defense dns-flood rate-threshold
high rate-number [ low

rate-number ]

Optional.
By default, the action threshold is

1000 packets per second and the
silence threshold is 750 packets per

second.

6.

Configure the action and
silence thresholds for DNS

flood attack protection of a

specific IP address.

defense dns-flood ip ip-address
rate-threshold high rate-number

[ low rate-number ]

Optional.
Not specifically configured for an IP
address by default.

Applying an attack protection policy to a security zone

To make a configured attack protection policy take effect, you need to apply the policy to a specific

security zone.
To apply an attack protection policy to a security zone:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter VD system view.

switchto vd vd-name

Required for a non-default VD.

3.

Enter security zone view.

zone name zone-name id zone-id N/A

4.

Apply an attack protection

policy to the security zone.

attack-defense apply policy
policy-number

By default, no attack protection
policy is applied to any security

zone.
The attack protection policy to be
applied to a security zone must

already exist.

Configuring TCP proxy

Usually, TCP proxy is used on a device's security zones connected to external networks to protect internal

servers from SYN flood attacks. When detecting a SYN flood attack, the device can take protection

actions as configured by using the defense syn-flood action command. If the trigger-tcp-proxy keyword

is specified for the defense syn-flood action command, the device starts TCP proxy in the specified mode
to inspect and process subsequent TCP connection requests destined to the protected IP address. The

protected IP address can be configured manually or generated dynamically by SYN flood attack

detection.
To configure the TCP proxy function:

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: