signature detect

Use signature detect to enable signature detection for single-packet attacks and specify the prevention actions.

Use undo signature detect to disable signature detection for single-packet attacks.

Syntax

signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]

undo signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke }

signature detect { ip-option-abnormal | ping-of-death | teardrop } action { drop | logging } *

undo signature detect { ip-option-abnormal | ping-of-death | teardrop }

signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ]

undo signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request }

signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]

undo signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded }

signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop | logging } * | none } ]

undo signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing }

signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ]

undo signature detect ipv6-ext-header next-header-value

Default

Signature detection is disabled for all single-packet attacks.

Views

Attack defense policy view

Predefined user roles

network-admin

mdc-admin

Parameters

fraggle: Specifies the fraggle attack.

fragment: Specifies the IP fragment attack.

icmp-type: Specifies an ICMP packet attack by the packet type. You can specify the packet type by a number or a keyword:

icmp-type-value: Specifies the ICMP packet type in the range of 0 to 255.
address-mask-reply: Specifies the ICMP address mask reply type.
address-mask-request: Specifies the ICMP address mask request type.
destination-unreachable: Specifies the ICMP destination unreachable type.
echo-reply: Specifies the ICMP echo reply type.
echo-request: Specifies the ICMP echo request type.
information-reply: Specifies the ICMP information reply type.
information-request: Specifies the ICMP information request type.
parameter-problem: Specifies the ICMP parameter problem type.
redirect: Specifies the ICMP redirect type.
source-quench: Specifies the ICMP source quench type.
time-exceeded: Specifies the ICMP time exceeded type.
timestamp-reply: Specifies the ICMP timestamp reply type.
timestamp-request: Specifies the ICMP timestamp request type.

icmpv6-type: Specifies an ICMPv6 packet attack by the packet type. You can specify the packet type by a number or a keyword:

icmpv6-type-value: Specifies the ICMPv6 packet type in the range of 0 to 255.
destination-unreachable: Specifies the ICMPv6 destination unreachable type.
echo-reply: Specifies the ICMPv6 echo reply type.
echo-request: Specifies the ICMPv6 echo request type.
group-query: Specifies the ICMPv6 group query type.
group-reduction: Specifies the ICMPv6 group reduction type.
group-report: Specifies the ICMPv6 group report type.
packet-too-big: Specifies the ICMPv6 packet too big type.
parameter-problem: Specifies the ICMPv6 parameter problem type.
time-exceeded: Specifies the ICMPv6 time exceeded type.

impossible: Specifies the IP impossible packet attack.

ip-option: Specifies an IP option. You can specify the IP option by a number or a keyword:

option-code: Specifies the IP option in the range of 0 to 255.
internet-timestamp: Specifies the timestamp option.
loose-source-routing: Specifies the loose source routing option.
record-route: Specifies the record route option.
route-alert: Specifies the route alert option.
security: Specifies the security option.
stream-id: Specifies the stream identifier option.
strict-source-routing: Specifies the strict source route option.

ip-option-abnormal: Specifies the abnormal IP option attack.

ipv6-ext-header ext-header-value: Specifies an IPv6 extension header by its value in the range of 0 to 255.

land: Specifies the Land attack.

large-icmp: Specifies the large ICMP packet attack.

large-icmpv6: Specifies the large ICMPv6 packet attack.

ping-of-death: Specifies the ping-of-death attack.

smurf: Specifies the smurf attack.

snork: Specifies the UDP snork attack.

tcp-all-flags: Specifies the attack where the TCP packet has all flags set.

tcp-fin-only: Specifies the attack where the TCP packet has only the FIN flag set.

tcp-invalid-flags: Specifies the attack that uses TCP packets with invalid flags.

tcp-null-flag: Specifies the attack where the TCP packet has no flags set.

tcp-syn-fin: Specifies the attack where the TCP packet has both SYN and FIN flags set.

teardrop: Specifies the teardrop attack.

tiny-fragment: Specifies the tiny fragment attack.

traceroute: Specifies the traceroute attack.

udp-bomb: Specifies the UDP bomb attack.

winnuke: Specifies the WinNuke attack.

action: Specifies the actions against the single-packet attack. If you do not specify this keyword, the default action of the attack level to which the single-packet attack belongs is used.

drop: Drops packets that match the specified signature.

logging: Enables logging for the specified single-packet attack.

none: Takes no action.

Usage guidelines

You can use this command multiple times to enable signature detection for multiple single-packet attack types.

When you specify a packet type by a number, if the packet type has a corresponding keyword, the keyword is displayed in command output. If the packet type does not have a corresponding keyword, the number is displayed.

Examples

# Enable signature detection for the IP fragment attack and specify the prevention action as drop in attack defense policy atk-policy-1.

<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] signature detect fragment action drop

Related commands

signature level action

prev	up	next
signature { large-icmp \| large-icmpv6 } max-length	home	signature level action