scan detect

Use scan detect to configure scanning attack detection.

Use undo scan detect to remove the scanning attack detection configuration.

Syntax

scan detect level { high | low | medium } action { drop | logging } *

undo scan detect level { high | low | medium }

Default

No scanning attack detection is configured.

Views

Attack defense policy view

Predefined user roles

network-admin

mdc-admin

Parameters

level: Specifies the level of the scanning attack detection.

low: Specifies the low level. This level provides basic scanning attack detection. It has a low false alarm rate but many scanning attacks cannot be detected. Statistics are collected every 60 seconds for the low level detection.

high: Specifies the high level. This level can detect most of the scanning attacks, but has a high false alarm rate. Some packets from active hosts might be considered as attack packets. Statistics are collected every 600 seconds for the high level detection.

medium: Specifies the medium level. Compared with the high and low levels, this level has medium false alarm rate and attack detection accuracy. Statistics are collected every 90 seconds for the medium level detection.

action: Specifies the actions against scanning attacks.

drop: Drops subsequent packets from detected scanning attack sources.

logging: Enables logging for scanning attack events.

Usage guidelines

To collaborate with the IP blacklist feature, make sure the blacklist feature is enabled on the interface to which the attack defense policy is applied.

The aging timer set by the timeout minutes option must be longer than the statistics collection interval.

Examples

# Configure low level scanning attack detection and specify the prevention action as drop in attack defense policy atk-policy-1.

<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action drop

# Configure scanning attack detection in attack defense policy atk-policy-1. Specify the detection level as low and the prevention actions as block-source and logging. Set the aging time for the dynamically added IP blacklist entries to 10 minutes.

<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] scan detect level low action logging block-source timeout 10

Related commands

blacklist enable

blacklist global enable