Configuring tcp proxy, Network requirements, Configuration procedure – H3C Technologies H3C SecBlade LB Cards User Manual

260

Flow Statistics Information

------------------------------------------------------------

Zone : Trust

------------------------------------------------------------

Total number of existing sessions : 13676

Session establishment rate : 2735/s

TCP sessions : 0

Half-open TCP sessions : 0

Half-close TCP sessions : 0

TCP session establishment rate : 0/s

UDP sessions : 13676

UDP session establishment rate : 2735/s

ICMP sessions : 0

ICMP session establishment rate : 0/s

RAWIP sessions : 0

RAWIP session establishment rate : 0/s

The output shows that in security zone Trust, a large number of UDP packets are destined for 10.1.1.2, and

the session establishment rate has exceeded the specified threshold. Therefore, you can determine that
the server is under a UDP flood attack. You can use the display attack-defense statistics command to

view the related statistics collected after the UDP flood protection function takes effect.

Configuring TCP proxy

Network requirements

Configure a bidirectional TCP proxy on LB to protect Server A, Server B, and Server C from SYN flood

attacks.
Add the IP address of Server A as a static protected IP and protect other servers dynamically.

Figure 145 Network diagram

Configuration procedure

# Assign IP addresses to the interfaces. (Details not shown.)
# Add interface GigabitEthernet 0/1 to security zone Trust.

system-view

[LB] zone name Trust

[LB-zone-Trust] import interface gigabitethernet 0/1

[LB-zone-Trust] quit

Internet

LB

Server C

GE0/2

GE0/1

Server A

192.168.1.10/24

Server B

202.1.0.1/16

192.168.1.1/16

Trust

Untrust