HP MSR Series Command Reference Manual page 656
Hide thumbs
Also See for MSR Series:
- Configuration manual (889 pages) ,
- Command reference manual (625 pages) ,
- Wan access configuration manual (293 pages)
Table of Contents
Advertisement
Use undo scan detect to restore the default.
Syntax
scan detect level { high | low | medium } action { { block-source [ timeout minutes ] | drop } | logging }
*
undo scan detect level { high | low | medium }
Default
Scanning attack detection is disabled.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
level: Specifies the level of the scanning attack detection.
low: Specifies the low level. This level provides basic scanning attack detection. It has a low false alarm
rate but many scanning attacks cannot be detected.
high: Specifies the high level. This level can detect most of the scanning attacks, but has a high false
alarm rate. Some packets from active hosts might be considered as attack packets.
medium: Specifies the medium level. Compared with the high and low levels, this level has a medium
false alarm rate and attack detection rate.
action: Specifies the actions against scanning attacks.
block-source: Adds the attackers' IP addresses to the blacklist. If the blacklist function is enabled on the
receiving interface, the device drops subsequent packets from the blacklisted IP addresses.
timeout minutes: Sets the aging timer in minutes for the dynamically added blacklist entries, in the range
of 1 to 1000. The default aging timer is 10 minutes.
drop: Drops subsequent packets from detected scanning attack sources.
logging: Enables logging for scanning attack events. The log information records the interface name,
victim IP address, MPLS L3VPN instance name, current packet statistics, prevention action, and start time
of the attack.
Usage guidelines
To configure the scanning attack detection to collaborate with the blacklist function, make sure of the
following items:
The block-source keyword is specified in the command.
•
The blacklist function is enabled on the interface to which the attack defense policy is applied. To
•
enable the blacklist function, use the blacklist enable command.
Examples
# Configure low level scanning attack detection in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action drop
642
Advertisement
Table of Contents
