Configuring a scanning attack defense policy
Apply a scanning attack defense policy to the interface that is connected to the external network.
Scanning attack detection inspects the incoming packet rate of connections to the target system. If a source initiates connections at a rate equal to or exceeding the pre-defined threshold, the device can take the following actions:
Output logs.
Drop subsequent packets from the IP address of the attacker.
Add the attacker's IP address to the IP blacklist.
To blacklist the attackers, you must enable the blacklist feature globally or on the interface where the defense policy is applied. For more information about the blacklist, see "Configuring the IP blacklist feature."
To configure a scanning attack defense policy:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter attack defense policy view. | attack-defense policy policy-name | N/A |
3. Configure scanning attack detection. | scan detect level { high | low | medium } action { { block-source [ timeout minutes ] | drop } | logging } * | By default, scanning attack detection is not configured. |