[x]

Configuring an attack defense policy > Configuring a single-packet attack defense policy

 

 Next

Configuring a single-packet attack defense policy

Apply the single-packet attack defense policy to the interface that is connected to the external network.

Single-packet attack detection inspects incoming packets based on the packet signature. If an attack packet is detected, the device can take the following actions:

You can also configure the device to not take any actions.

To configure a single-packet attack defense policy:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter attack defense policy view.

attack-defense policy policy-name

N/A

3. Configure signature detection for single-packet attacks.

  • signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]

  • signature detect { ip-option-abnormal | ping-of-death | teardrop } action { drop | logging } *

  • signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ]

  • signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]

  • signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop | logging } * | none } ]

  • signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ]

By default, signature detection is not configured for single-packet attacks.

You can configure signature detection for multiple single-packet attacks.

4. (Optional.) Set the maximum length of safe ICMP or ICMPv6 packets.

signature { large-icmp | large-icmpv6 } max-length length

By default, the maximum length of safe ICMP or ICMPv6 packets is 4000 bytes.

A large ICMP or ICMPv6 attack occurs if an ICMP or ICMPv6 packet larger than the specified length is detected.

5. (Optional.) Specify the actions against single-packet attacks of a specific level.

signature level { high | info | low | medium } action { { drop | logging } * | none }

The default action is logging for single-packet attacks of the informational and low levels.

The default actions are logging and drop for single-packet attacks of the medium and high levels.

6. (Optional.) Enable signature detection for single-packet attacks of a specific level.

signature level { high | info | low | medium } detect

By default, signature detection is disabled for all levels of single-packet attacks.

prev

 

up

 next

Creating an attack defense policy 

home

 Configuring a scanning attack defense policy

© Copyright 2016 Hewlett Packard Enterprise Development LP