Attack detection and prevention configuration task
list
Tasks at a glance
(Required.)
•
(Required.)
•
(Required.) Perform at least one of the following tasks to configure attack detection:
Configuring a single-packet attack defense policy
Configuring a scanning attack defense policy
Configuring a flood attack defense policy
•
(Optional.)
(Required.) Perform at least one of the tasks to apply an attack defense policy:
•
Applying an attack defense policy to an interface
•
Applying an attack defense policy to the device
(Optional.)
Disabling log aggregation for single-packet attack events
(Optional.)
Configuring TCP fragment attack prevention
(Optional.) Configuring client verification:
•
Configuring TCP client verification
•
Configuring DNS client verification
•
Configuring HTTP client verification
(Optional.)
Configuring the blacklist feature
Configuring an attack defense policy
Creating an attack defense policy
An attack defense policy can contain a set of attack detection and prevention configuration against
multiple attacks.
To create an attack defense policy:
Step
1.
Enter system view.
2.
Create an attack defense
policy and enter its view.
Configuring a single-packet attack defense policy
Configure the single-packet attack defense policy on the interface that connects to the external
network.
Single-packet attack detection inspects incoming packets based on the packet signature. If an attack
packet is detected, the device can take the following actions:
•
Output logs (the default action).
•
Drop attack packets.
Configuring an attack defense
Creating an attack defense policy
Configuring attack detection exemption
Command
system-view
attack-defense policy
policy-name
policy:
489
Remarks
N/A
By default, no attack defense policy
exists.