Fin-Flood Action - H3C MSR Series Command Reference Manual

•
L3VPN instance.
•
fragment keyword for matching non-first fragments.
If the specified ACL does not exist or does not contain a rule, attack detection exemption does not
take effect.
Examples
# Configure an ACL to permit packets sourced from 1.1.1.1. Configure attack detection exemption
for packets matching the ACL in the attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] acl basic 2001
[Sysname-acl-ipv4-basic-2001] rule permit source 1.1.1.1 0
[Sysname-acl-ipv4-basic-2001] quit
[Sysname] attack-defense policy atk-policy-1
[attack-defense-policy-atk-policy-1] exempt acl 2001
Related commands
attack-defense policy

fin-flood action

Use fin-flood action to specify global actions against FIN flood attacks.
Use undo fin-flood action to restore the default.
Syntax
fin-flood action { client-verify | drop | logging } *
undo fin-flood action
Default
No global action is specified for FIN flood attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP
client verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent FIN packets destined for the victim IP addresses.
logging: Enables logging for FIN flood attack events.
Usage guidelines
For the FIN flood attack detection to collaborate with the TCP client verification, make sure the
client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client
verification, use the client-verify tcp enable command.
Examples
# Specify drop as the global action against FIN flood attacks in the attack defense policy
atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
1052