http-flood detect

Use http-flood detect to configure IP address-specific HTTP flood attack detection.

Use undo http-flood detect to remove the IP address-specific HTTP flood attack detection configuration.


http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]


IP address-specific HTTP flood attack detection is not configured.


Attack defense policy view

Predefined user roles




ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s.

ipv6 ipv6-address: Specifies the IPv6 address to be protected.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.

port port-list: Specifies a space-separated list of up to 65535 port number items. Each item specifies a port by its port number or a range of ports in the form of start-port-number to end-port-number. The end-port-number cannot be smaller than the start-port-number. If you do not specify this option, the global ports apply.

threshold threshold-value: Specifies the threshold for triggering HTTP flood attack prevention. The value range is 1 to 1000000 in units of HTTP packets sent to the specified IP address per second.

action: Specifies the actions when an HTTP flood attack is detected. If no action is specified, the global actions set by the http-flood action command apply.

drop: Drops subsequent HTTP packets destined for the protected IP address.

logging: Enables logging for HTTP flood attack events.

none: Takes no action.

Usage guidelines

With HTTP flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of HTTP packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

You can configure HTTP flood attack detection for multiple IP addresses in one attack defense policy.


# Configure HTTP flood attack detection for in attack defense policy atk-policy-1.

<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] http-flood detect ip port 80 8080 threshold 2000

Related commands

http-flood action

http-flood detect non-specific

http-flood threshold

http-flood port