Step
3.
Enter interface view.
4.
Enable DNS client
verification on the interface.
Configuring HTTP client verification
Configure HTTP client verification on the interface that connects to the external network. The HTTP
client verification protects internal HTTP servers against HTTP flood attacks.
IP addresses protected by HTTP client verification can be manually added or automatically learned:
•
You can manually add protected IP addresses. The device performs client verification when it
receives the first HTTP Get packet destined for a protected IP address.
•
The HTTP client verification can automatically add victims' IP addresses to the protected IP list
when collaborating with HTTP flood attack detection. Make sure client-verify is specified as
the HTTP flood attack prevention action. For more information, see
attack defense
If an HTTP client is verified legitimate, the device adds the client's IP address to the trusted IP list.
The device directly forwards HTTP packets from trusted IP addresses.
To configure HTTP client verification:
Step
1.
Enter system view.
2.
(Optional.) Specify an IP
address to be protected by
the HTTP client verification
feature.
3.
Enter interface view.
4.
Enable HTTP client
verification on the interface.
Configuring the blacklist feature
The following matrix shows the feature and hardware compatibility:
Command
interface interface-type
interface-number
client-verify dns enable
policy."
Command
system-view
client-verify http protected { ip
destination-ip-address | ipv6
destination-ipv6-address }
[ vpn-instance
vpn-instance-name ] [ port
port-number ]
interface interface-type
interface-number
client-verify http enable
500
Remarks
N/A
By default, DNS client
verification is disabled on the
interface.
DNS client verification can be
used alone or together with a
DNS flood attack defense
policy.
"Configuring an HTTP flood
Remarks
N/A
By default, the HTTP client
verification feature does not
protect any IP address.
N/A
By default, HTTP client
verification is disabled on the
interface.
HTTP client verification can be
used alone or together with an
HTTP flood attack defense policy.