signature detect
Use signature detect to enable signature detection for single-packet attacks and specify the prevention actions.
Use undo signature detect to disable signature detection for single-packet attacks.
Syntax
signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]
undo signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke }
signature detect { ip-option-abnormal | ping-of-death | teardrop } action { drop | logging } *
undo signature detect { ip-option-abnormal | ping-of-death | teardrop }
signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ]
undo signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request }
signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]
undo signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded }
signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop | logging } * | none } ]
undo signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing }
signature detect ipv6-ext-header ext-header-value [ action { { drop | logging } * | none } ]
undo signature detect ipv6-ext-header next-header-value
Default
Signature detection is disabled for all single-packet attacks.
Views
Attack defense policy view
Predefined user roles
network-admin
mdc-admin
Parameters
fraggle: Specifies the fraggle attack.
fragment: Specifies the IP fragment attack.
icmp-type: Specifies an ICMP packet attack by the packet type. You can specify the packet type by a number or a keyword:
icmp-type-value: Specifies the ICMP packet type in the range of 0 to 255.
address-mask-reply: Specifies the ICMP address mask reply type.
address-mask-request: Specifies the ICMP address mask request type.
destination-unreachable: Specifies the ICMP destination unreachable type.
echo-reply: Specifies the ICMP echo reply type.
echo-request: Specifies the ICMP echo request type.
information-reply: Specifies the ICMP information reply type.
information-request: Specifies the ICMP information request type.
parameter-problem: Specifies the ICMP parameter problem type.
redirect: Specifies the ICMP redirect type.
source-quench: Specifies the ICMP source quench type.
time-exceeded: Specifies the ICMP time exceeded type.
timestamp-reply: Specifies the ICMP timestamp reply type.
timestamp-request: Specifies the ICMP timestamp request type.
icmpv6-type: Specifies an ICMPv6 packet attack by the packet type. You can specify the packet type by a number or a keyword:
icmpv6-type-value: Specifies the ICMPv6 packet type in the range of 0 to 255.
destination-unreachable: Specifies the ICMPv6 destination unreachable type.
echo-reply: Specifies the ICMPv6 echo reply type.
echo-request: Specifies the ICMPv6 echo request type.
group-query: Specifies the ICMPv6 group query type.
group-reduction: Specifies the ICMPv6 group reduction type.
group-report: Specifies the ICMPv6 group report type.
packet-too-big: Specifies the ICMPv6 packet too big type.
parameter-problem: Specifies the ICMPv6 parameter problem type.
time-exceeded: Specifies the ICMPv6 time exceeded type.
impossible: Specifies the IP impossible packet attack.
ip-option: Specifies an IP option. You can specify the IP option by a number or a keyword:
option-code: Specifies the IP option in the range of 0 to 255.
internet-timestamp: Specifies the timestamp option.
loose-source-routing: Specifies the loose source routing option.
record-route: Specifies the record route option.
route-alert: Specifies the route alert option.
security: Specifies the security option.
stream-id: Specifies the stream identifier option.
strict-source-routing: Specifies the strict source route option.
ip-option-abnormal: Specifies the abnormal IP option attack.
ipv6-ext-header ext-header-value: Specifies an IPv6 extension header by its value in the range of 0 to 255.
land: Specifies the Land attack.
large-icmp: Specifies the large ICMP packet attack.
large-icmpv6: Specifies the large ICMPv6 packet attack.
ping-of-death: Specifies the ping-of-death attack.
smurf: Specifies the smurf attack.
snork: Specifies the UDP snork attack.
tcp-all-flags: Specifies the attack where the TCP packet has all flags set.
tcp-fin-only: Specifies the attack where the TCP packet has only the FIN flag set.
tcp-invalid-flags: Specifies the attack that uses TCP packets with invalid flags.
tcp-null-flag: Specifies the attack where the TCP packet has no flags set.
tcp-syn-fin: Specifies the attack where the TCP packet has both SYN and FIN flags set.
teardrop: Specifies the teardrop attack.
tiny-fragment: Specifies the tiny fragment attack.
traceroute: Specifies the traceroute attack.
udp-bomb: Specifies the UDP bomb attack.
winnuke: Specifies the WinNuke attack.
action: Specifies the actions against the single-packet attack. If you do not specify this keyword, the default action of the attack level to which the single-packet attack belongs is used.
drop: Drops packets that match the specified signature.
logging: Enables logging for the specified single-packet attack.
none: Takes no action.
Usage guidelines
You can use this command multiple times to enable signature detection for multiple single-packet attack types.
When you specify a packet type by a number, if the packet type has a corresponding keyword, the keyword is displayed in command output. If the packet type does not have a corresponding keyword, the number is displayed.
Examples
# Enable signature detection for the IP fragment attack and specify the prevention action as drop in attack defense policy atk-policy-1.
<Sysname> system-view [Sysname] attack-defense policy atk-policy-1 [Sysname-attack-defense-policy-atk-policy-1] signature detect fragment action drop
Related commands
signature level action