Attack detection and protection configuration
examples
Configuring attack protection functions on interfaces
Network requirements
As shown in
1/0/2 is connected to the external network, and GigabitEthernet 1/0/3 is connected with an internal
server.
Protect internal hosts against Smurf attacks and scanning attacks from the external network. Protect the
internal server against SYN flood attacks from the external network. To meet the requirements, perform
the following configurations:
On GigabitEthernet 1/0/2, configure Smurf attack protection and scanning attack protection,
•
enable the blacklist function for scanning attack protection, and set the connection rate threshold
that triggers the scanning attack protection to 4500 connections per second.
On GigabitEthernet 1/0/3, configure SYN flood attack protection, so that the device drops
•
subsequent SYN packets when the SYN packet sending rate to a server constantly reaches or
exceeds 5000 packets per second, and permits SYN packets to be sent to the server again when
this rate drops below 1000 packets per second.
Figure 136 Network diagram for attack protection configuration on interfaces
Configuration procedure
# Configure IP addresses for interfaces. (Omitted)
# Enable the blacklist function.
<Router> system-view
[Router] blacklist enable
# Create attack protection policy 1.
[Router] attack-defense policy 1
# Enable Smurf attack protection.
[Router-attack-defense-policy-1] signature-detect smurf enable
Figure
136, GigabitEthernet 1/0/1 is connected with the internal network, GigabitEthernet
399