Table of Contents
Advertisement
The global threshold applies to global DNS flood attack detection. Adjust the threshold according to
the application scenarios. If the number of DNS packets sent to a protected DNS server is normally
large, set a large threshold. A small threshold might affect the server services. For a network that is
unstable or susceptible to attacks, set a small threshold.
Examples
# Set the global threshold to 100 for triggering DNS flood attack prevention in attack defense policy
atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood threshold 100
Related commands
dns-flood action
dns-flood detect
dns-flood detect non-specific
exempt acl
Use exempt acl to configure attack detection exemption.
Use undo exempt acl to restore the default.
Syntax
exempt acl [ ipv6 ] { acl-number | name acl-name }
undo exempt acl [ ipv6 ]
Default
Attack detection exemption is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6: Specifies an IPv6 ACL. To specify an IPv4 ACL, do not use this keyword.
acl-number: Specifies an ACL by its number:
•
2000 to 2999 for basic ACLs.
•
3000 to 3999 for advanced ACLs.
name acl-name: Specifies an ACL by its name. The acl-name argument is a case-insensitive string
of 1 to 63 characters. It must start with an English letter and to avoid confusion, it cannot be all.
Usage guidelines
The attack defense policy uses an ACL to identify exempted packets. The policy does not check the
packets permitted by the ACL. You can configure the ACL to identify packets from trusted hosts. The
exemption feature reduces the false alarm rate and improves packet processing efficiency.
If an ACL is used for attack detection exemption, only the following match criteria in the ACL permit
rules take effect:
•
Source IP address.
561
Advertisement
Table of Contents
