Table of Contents
Advertisement
•
Source and destination IP addresses.
•
VPN instance to which the victim IP address belongs.
As a best practice, do not disable log aggregation. A large number of logs will consume the display
resources of the console.
Examples
# Enable log non-aggregation for single-packet attack events.
<Sysname> system-view
[Sysname] attack-defense signature log non-aggregate
Related commands
signature detect
attack-defense tcp fragment enable
Use attack-defense tcp fragment enable to enable TCP fragment attack prevention.
Use undo attack-defense tcp fragment enable to disable TCP fragment attack prevention.
Syntax
attack-defense tcp fragment enable
undo attack-defense tcp fragment enable
Default
TCP fragment attack prevention is enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This command enables the device to drop attack TCP fragments to prevent TCP fragment attacks
that the packet filter cannot detect. As defined in RFC 1858, attack TCP fragments refer to the
following TCP fragments:
•
First fragments in which the TCP header is smaller than 20 bytes.
•
Non-first fragments with a fragment offset of 8 bytes (FO=1).
TCP fragment attack prevention takes precedence over single-packet attack prevention. When both
are used, incoming TCP packets are processed first by TCP fragment attack prevention and then by
the single-packet attack defense policy.
Examples
# Enable TCP fragment attack prevention.
<Sysname> System-view
[Sysname] attack-defense tcp fragment enable
blacklist global enable
Use blacklist global enable to enable the global blacklist feature.
Use undo blacklist global enable to disable the global blacklist feature.
528
Advertisement
Table of Contents
