display attack-defense policy

Use display attack-defense policy to display attack defense policy configuration.

Syntax

display attack-defense policy [ policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

policy-name: Specifies an attack defense policy by its name. The policy name is a case-insensitive string of 1 to 31 characters. Valid characters include uppercase and lowercase letters, digits, underscores (_), and hyphens (-). If no attack defense policy is specified, this command displays brief information about all attack defense policies.

Usage guidelines

This command output includes the following configuration information about an attack defense policy:

Examples

# Display the configuration of attack defense policy abc.

<Sysname> display attack-defense policy abc
          Attack-defense Policy Information
--------------------------------------------------------------------------
Policy name                        : abc
Applied list                       : Local
--------------------------------------------------------------------------
Exempt IPv4 ACL:                  : Not configured
Exempt IPv6 ACL:                  : vip
--------------------------------------------------------------------------
  Actions: CV-Client verify  BS-Block source  L-Logging  D-Drop  N-None

Signature attack defense configuration:
Signature name                     Defense      Level             Actions
Fragment                           Enabled      Info              L
Impossible                         Enabled      Info              L
Teardrop                           Disabled     Info              L
Tiny fragment                      Disabled     Info              L
IP option abnormal                 Disabled     Info              L
Smurf                              Disabled     Info              N
Traceroute                         Disabled     Medium            L,D
Ping of death                      Disabled     Low               L
Large ICMP                         Disabled     Medium            L,D
  Max length                       4000 bytes
Large ICMPv6                       Disabled     Low               L
  Max length                       4000 bytes
TCP invalid flags                  Disabled     medium            L,D
TCP null flag                      Disabled     Low               L
TCP all flags                      Enabled      Info              L
TCP SYN-FIN flags                  Disabled     Info              L
TCP FIN only flag                  Enabled      Info              L
TCP Land                           Disabled     Info              L
Winnuke                            Disabled     Info              L
UDP Bomb                           Disabled     Info              L
UDP Snork                          Disabled     Info              L
UDP Fraggle                        Enabled      Info              L
IP option record route             Disabled     Info              L
IP option internet timestamp       Enabled      Info              L
IP option security                 Disabled     Info              L
IP option loose source routing     Enabled      Info              L
IP option stream ID                Disabled     Info              L
IP option strict source routing    Disabled     Info              L
IP option route alert              Disabled     Info              L
ICMP echo request                  Disabled     Info              L
ICMP echo reply                    Disabled     Info              L
ICMP source quench                 Disabled     Info              L
ICMP destination unreachable       Enabled      Info              L
ICMP redirect                      Enabled      Info              L
ICMP time exceeded                 Enabled      Info              L
ICMP parameter problem             Disabled     Info              L
ICMP timestamp request             Disabled     Info              L
ICMP timestamp reply               Disabled     Info              L
ICMP information request           Disabled     Info              L
ICMP information reply             Disabled     Medium            L,D
ICMP address mask request          Disabled     Medium            L,D
ICMP address mask reply            Disabled     Medium            L,D
ICMPv6 echo request                Enabled      Medium            L,D
ICMPv6 echo reply                  Disabled     Medium            L,D
ICMPv6 group membership query      Disabled     Medium            L,D
ICMPv6 group membership report     Disabled     Medium            L,D
ICMPv6 group membership reduction  Disabled     Medium            L,D
ICMPv6 destination unreachable     Enabled      Medium            L,D
ICMPv6 time exceeded               Enabled      Medium            L,D
ICMPv6 parameter problem           Disabled     Medium            L,D
ICMPv6 packet too big              Disabled     Medium            L,D

Scan attack defense configuration:
 Defense: Disabled
 Level: Medium
 Actions: L

Flood attack defense configuration:
Flood type      Global thres(pps)  Global actions  Service ports   Non-specific
SYN flood       1000(default)      -               -               Disabled
ACK flood       1000(default)      -               -               Enabled
SYN-ACK flood   1000(default)      -               -               Disabled
RST flood       200                -               -               Enabled
FIN flood       1000(default)      L,D             -               Disabled
UDP flood       1000(default)      -               -               Disabled
ICMP flood      1000(default)      -               -               Disabled
ICMPv6 flood    1000(default)      CV              -               Disabled
DNS flood       10000              -               30,61 to 62     Enabled
HTTP flood      10000              -               80,8080         Enabled

Flood attack defense for protected IP addresses:
 Address                 VPN instance Flood type    Thres(pps)  Actions Ports
 1::1                    --           FIN-FLOOD     10          L,D     -
 192.168.1.1             --           SYN-ACK-FLOOD 10          -       -
 1::1                    --           FIN-FLOOD     -           L       -
 2013:2013:2013:2013:    --           DNS-FLOOD     100         L,CV    53
 2013:2013:2013:2013

Table 71: Command output

Field

Description

Policy name

Name of the attack defense policy.

Applied list

Locations to which the attack defense policy is applied: Local (Local indicates that the policy is applied to the device).

Exempt IPv4 ACL

IPv4 ACL used for attack detection exemption.

Exempt IPv6 ACL

IPv6 ACL used for attack detection exemption.

Actions

Attack prevention actions:

  • CV—Client verification.

  • BS—Blocking sources.

  • L—Logging.

  • D—Dropping packets.

  • N—No action.

Signature attack defense configuration

Configuration information about single-packet attack detection and prevention.

Signature name

Type of the single-packet attack.

Defense

Whether attack detection is enabled.

Level

Level of the single-packet attack, info, low, medium, or high.

Currently, no high-level single-packet attacks exist.

Large ICMPv6

Large ICMPv6 attack.

ICMPv6 echo request

ICMPv6 echo request attack.

ICMPv6 echo reply

ICMPv6 echo reply attack.

ICMPv6 group membership query

ICMPv6 group membership query attack.

ICMPv6 group membership report

ICMPv6 group membership report attack.

ICMPv6 group membership reduction

ICMPv6 group membership reduction attack.

ICMPv6 destination unreachable

ICMPv6 destination unreachable attack.

ICMPv6 time exceeded

ICMPv6 time exceeded attack.

ICMPv6 parameter problem

ICMPv6 parameter problem attack.

ICMPv6 packet too big

ICMPv6 packet too big attack.

Scan attack defense configuration

Configuration information about scanning attack detection and prevention.

Level

Level of the scanning attack detection: low, medium, or high.

Flood attack defense configuration

Configuration information about flood attack detection and prevention.

Flood type

Type of the flood attack:

  • ACK flood.

  • DNS flood.

  • FIN flood.

  • ICMP flood.

  • ICMPv6 flood.

  • SYN flood.

  • SYN-ACK flood.

  • UDP flood.

  • RST flood.

  • HTTP flood.

Global thres (pps)

Global threshold for triggering the flood attack prevention, in units of packets sent to an IP address per second. The default is 1000 pps.

Global actions

Global prevention actions against the flood attack:

  • D—Dropping packets.

  • L—Logging.

  • CV—Client verification.

  • -—Not configured.

Service ports

Ports that are protected against the flood attack. This field displays port numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-).

Non-specific

Whether the global flood attack detection is enabled.

Flood attack defense for protected IP addresses

Configuration of the IP address-specific flood attack detection and prevention.

Address

Protected IP address.

VPN instance

MPLS L3VPN instance to which the protected IP address belongs. If no MPLS L3VPN instance is specified, this field displays a hyphen (-).

Thres(pps)

Threshold for triggering the flood attack prevention, in units of packets sent to the IP address per second. If no threshold is specified, this field displays a hyphen (-).

Ports

Ports that are protected against the flood attack. This field displays port numbers only for the DNS and HTTP flood attacks. For other flood attacks, this field displays a hyphen (-).

# Display brief information about all attack defense policies.

<Sysname> display attack-defense policy 
           Attack-defense Policy Brief Information
------------------------------------------------------------
Policy Name                        Applied list
P2                                 None
p1                                 Local
p12                                Local

Table 72: Command output

Field

Description

Policy name

Name of the attack defense policy.

Applied list

Locations to which the attack defense policy is applied: Local (Local indicates that the policy is applied to the device).

Related commands

attack-defense policy