Table of Contents
Advertisement
S9700 Core Routing Switch
Configuration Guide - SPU
firewall defend large-icmp max-length length
The parameter for large ICMP packet attack defense is set.
For large ICMP packet attack defense, only one parameter needs to be set, namely, the maximum
packet length. When the length of an ICMP packet exceeds the limit, the SPU considers that an
attack occurs and discards the packet.
By default, the maximum length of an ICMP packet is 4000 bytes.
----End
2.11.5 Setting Parameters for Scanning Attack Defense
Context
Step 2 and step 3 are optional and can be performed in any sequence. You can select these steps
to defend against different types of scanning attacks.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
firewall defend ip-sweep { blacklist-expire-time interval | max-rate rate-value }
The parameters for IP address sweep attack defense are set.
Step 3 Run:
firewall defend port-scan { blacklist-expire-time interval | max-rate rate-value }
The parameters for port scanning attack defense are set.
For scanning attack defense, the following two parameters need to be set:
l Maximum session rate: When the session rate of an IP address or a port exceeds the limit,
l Blacklist timeout: When the duration of an IP address in the blacklist exceeds the limit, the
By default, the maximum session rate for IP address sweeping and port scanning attack defense
is 4000 pps, and the blacklist timeout is 20 minutes.
----End
2.11.6 Checking the Configuration
After the attack defense is configured, you can view information about attack defense.
Issue 01 (2012-03-15)
the SPU considers that a scanning attack occurs, and then adds the IP address to the blacklist
and denies new sessions from the IP address or port.
SPU deletes the IP address from the blacklist and allows new sessions from the IP address
or port.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Firewall Configuration
58
Advertisement
Table of Contents
