Applying an attack protection policy to an interface
To make a configured attack protection policy take effect, apply the policy to a specific interface.
To apply an attack protection policy to an interface:
To do...
1.
Enter system view.
2.
Enter interface view.
3.
Apply an attack protection
policy to the interface.
Configuring TCP proxy
Usually, TCP proxy is used on a device's interfaces connected to external networks to protect internal
servers from SYN flood attacks. When detecting a SYN flood attack, the device can take protection
actions as configured by using defense syn-flood action. If the trigger-tcp-proxy keyword is specified for
defense syn-flood action, the device adds a protected IP address entry for the server and starts TCP
proxy in the specified mode to inspect and process subsequent TCP connection requests destined to the
server.
To configure the TCP proxy function:
To do...
1.
Enter system view.
2.
Set the
TCP
proxy
working
mode.
3.
Enter interface view.
4.
Enable the TCP proxy
function on the interface.
Configuring the blacklist function
Configure a device to filter packets from certain IP addresses by configuring the blacklist function.
The blacklist configuration includes enabling the blacklist function and adding blacklist entries. When
adding a blacklist entry, also configure the entry aging time. If you do not configure the aging time, the
entry never ages out and thus always exists until you delete it manually.
Command...
system-view
interface interface-type interface-
number
attack-defense apply policy
policy-number
Command...
system-view
Unidirectional
tcp-proxy mode unidirection
mode
Bidirectional
undo tcp-proxy mode
mode
interface interface-type interface-
number
tcp-proxy enable
Remarks
—
—
Required.
By default, no attack protection
policy is applied to any interface.
The attack protection policy to be
applied to an interface must
already exist.
Remarks
—
Optional.
By default, TCP proxy works in
bidirectional mode when enabled.
—
Required.
By default, TCP proxy is disabled
on an interface.
396