Configuring Dns Client Verification - HP MSR Series Configuration Manual
Hpe flexnetwork msr router series
Hide thumbs
Also See for MSR Series:
- Configuration manual (889 pages) ,
- Command reference manual (684 pages) ,
- Wan access configuration manual (293 pages)
Table of Contents
Advertisement
IP addresses protected by TCP client verification can be manually added or automatically learned:
•
You can manually add protected IP addresses. The device performs client verification when it
receives the first SYN packet destined for a protected IP address.
•
The TCP client verification can automatically add victims' IP addresses to the protected IP list
when collaborating with flood attack detection. Make sure client-verify is specified as the flood
attack prevention action. For more information, see
If a TCP client is verified legitimate, the device adds the client's IP address to the trusted IP list. The
device directly forwards TCP packets from trusted IP addresses.
To configure TCP client verification:
Step
1.
Enter system view.
2.
(Optional.) Specify an IP
address to be protected by
the TCP client verification
feature.
3.
Enter interface view.
4.
Enable TCP client
verification on the interface.
Configuring DNS client verification
Configure DNS client verification the interface that connects to the external network. The DNS client
verification protects internal DNS servers against DNS flood attacks.
IP addresses protected by DNS client verification can be manually added or automatically learned:
•
You can manually add protected IP addresses. The device performs client verification when it
receives the first DNS query destined for a protected IP address.
•
The DNS client verification can automatically add victims' IP addresses to the protected IP list
when collaborating with DNS flood attack detection. Make sure client-verify is specified as the
DNS flood attack prevention action. For more information, see
defense
If a DNS client is verified legitimate, the device adds the client's IP address to the trusted IP list. The
device directly forwards DNS packets from trusted IP addresses.
To configure DNS client verification:
Step
1.
Enter system view.
2.
(Optional.) Specify an IP
address to be protected by
the DNS client verification
feature.
Command
system-view
client-verify tcp protected { ip
destination-ip-address | ipv6
destination-ipv6-address }
[ vpn-instance vpn-instance-name ]
[ port port-number ]
interface interface-type
interface-number
•
•
policy."
Command
system-view
client-verify dns protected { ip
destination-ip-address | ipv6
destination-ipv6-address }
[ vpn-instance vpn-instance-name ]
[ port port-number ]
"Configuring a flood attack defense
To set the safe reset mode:
client-verify tcp enable mode
safe-reset
To set the SYN cookie mode:
client-verify tcp enable [ mode
syn-cookie ]
499
Remarks
N/A
By default, the TCP client
verification feature does not
protect any IP address.
N/A
By default, TCP client
verification is disabled on the
interface.
TCP client verification can be
used alone or together with a
TCP flood attack defense
policy.
"Configuring a DNS flood attack
Remarks
N/A
By default, the DNS client
verification feature does not
protect any IP address.
policy."
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
