Configuring a single-packet attack defense policy
Apply the single-packet attack defense policy to the interface that is connected to the external network.
Single-packet attack detection inspects incoming packets based on the packet signature. If an attack packet is detected, the device can take the following actions:
Output logs (the default action).
Drop attack packets.
You can also configure the device to not take any actions.
To configure a single-packet attack defense policy:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter attack defense policy view. | attack-defense policy policy-name | N/A |
3. Configure signature detection for single-packet attacks. |
| By default, signature detection is not configured for single-packet attacks. You can configure signature detection for multiple single-packet attacks. |
4. (Optional.) Set the maximum length of safe ICMP or ICMPv6 packets. | signature { large-icmp | large-icmpv6 } max-length length | By default, the maximum length of safe ICMP or ICMPv6 packets is 4000 bytes. A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the specified length is detected. |
5. (Optional.) Specify the actions against single-packet attacks of a specific level. | signature level { high | info | low | medium } action { { drop | logging } * | none } | The default action is logging for single-packet attacks of the informational and low levels. The default actions are logging and drop for single-packet attacks of the medium and high levels. |
6. (Optional.) Enable signature detection for single-packet attacks of a specific level. | signature level { high | info | low | medium } detect | By default, signature detection is disabled for all levels of single-packet attacks. |