Verifying the configuration – H3C Technologies H3C SecBlade LB Cards User Manual

261

# Add interface GigabitEthernet 0/2 to security zone Untrust.

[LB] zone name Untrust

[LB-zone-Untrust] import interface gigabitethernet 0/2

[LB-zone-Untrust] quit

# Configure the operating mode of TCP Proxy as bidirectional.

[LB] undo tcp-proxy mode

# Configure TCP proxy for IP address 192.168.1.10 and port number 21.

[LB] tcp-proxy protected-ip 192.168.1.10 21

# Enable TCP proxy for security zone Untrust.

[LB] zone name Untrust

[LB-zone-Untrust] tcp-proxy enable

[LB-zone-Untrust] quit

# Create attack protection policy 1.

system-view

[LB] attack-defense policy 1

# Enable SYN flood attack protection.

[LB-attack-defense-policy-1] defense syn-flood enable

# Set the global action threshold for SYN flood attack protection to 100 packets per second.

[LB-attack-defense-policy-1] defense syn-flood rate-threshold high 100

# Configure LB to use the TCP proxy for subsequent packets after a SYN flood attack is detected.

[LB-attack-defense-policy-1] defense syn-flood action trigger-tcp-proxy

[LB-attack-defense-policy-1] quit

# Apply policy 1 to security zone Trust.

[LB] zone name Trust

[LB-zone-Trust] attack-defense apply policy 1

[LB-zone-Trust] quit

Verifying the configuration

When a SYN flood attack targeting an internal server occurs, use the display tcp-proxy protected-ip

command to display information about the IP addresses protected by the TCP proxy function.

[LB] display tcp-proxy protected-ip

Protected IP Port number Type Lifetime(min) Rejected packets

192.168.1.10 21 Static - 20

192.168.1.11 any Dynamic 30 8

The output shows that Server A's IP address is a static entry and a dynamic entry has been added for the
attacked server.