HP FlexNetwork 10500 Series Security Configuration Manual page 487

To configure a single-packet attack defense policy:
Step
1. Enter system view.
2. Enter attack defense
policy view.
3. Configure signature
detection for
single-packet attacks.
4. (Optional.) Set the
maximum length of safe
ICMP or ICMPv6
packets.
Command
system-view
attack-defense policy policy-name
•
signature detect { fraggle |
fragment | impossible | land |
large-icmp | large-icmpv6 | smurf |
snork | tcp-all-flags | tcp-fin-only |
tcp-invalid-flags | tcp-null-flag |
tcp-syn-fin | tiny-fragment |
traceroute | udp-bomb | winnuke }
[ action { { drop | logging } * |
none } ]
•
signature detect
{ ip-option-abnormal |
ping-of-death | teardrop } action
{ drop | logging } *
•
signature detect icmp-type
{ icmp-type-value |
address-mask-reply |
address-mask-request |
destination-unreachable |
echo-reply | echo-request |
information-reply |
information-request |
parameter-problem | redirect |
source-quench | time-exceeded |
timestamp-reply |
timestamp-request } [ action
{ { drop | logging } * | none } ]
•
signature detect icmpv6-type
{ icmpv6-type-value |
destination-unreachable |
echo-reply | echo-request |
group-query | group-reduction |
group-report | packet-too-big |
parameter-problem |
time-exceeded } [ action { { drop |
logging } * | none } ]
•
signature detect ip-option
{ option-code | internet-timestamp |
loose-source-routing |
record-route | route-alert |
security | stream-id |
strict-source-routing } [ action
{ { drop | logging } * | none } ]
signature { large-icmp |
large-icmpv6 } max-length length
473
Remarks
N/A
N/A
By default, signature detection
is not configured for
single-packet attacks.
You can configure signature
detection for multiple
single-packet attacks.
By default, the maximum
length of safe ICMP or ICMPv6
packets is 4000 bytes.
A large ICMP or ICMPv6
attack occurs if an ICMP or
ICMPv6 packet larger than the
specified length is detected.