[x]

Attack detection and prevention commands > syn-ack-flood detect

 

 Next

syn-ack-flood detect

Use syn-ack-flood detect to configure IP address-specific SYN-ACK flood attack detection.

Use undo syn-ack-flood detect to remove the IP address-specific SYN-ACK flood attack detection configuration.

Syntax

syn-ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

undo syn-ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]

Default

IP address-specific SYN-ACK flood attack detection is not configured.

Views

Attack defense policy view

Predefined user roles

network-admin

mdc-admin

Parameters

ip ipv4-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s.

ipv6 ipv6-address: Specifies the IPv6 address to be protected.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify this option if the protected IP address is on the public network.

threshold threshold-value: Specifies the threshold for triggering SYN-ACK flood attack prevention. The value range is 1 to 1000000 in units of SYN-ACK packets sent to the specified IP address per second.

action: Specifies the actions when a SYN-ACK flood attack is detected. If no action is specified, the global actions set by the syn-ack-flood action command apply.

drop: Drops subsequent SYN-ACK packets destined for the protected IP address.

logging: Enables logging for SYN-ACK flood attack events.

none: Takes no action.

Usage guidelines

With SYN-ACK flood attack detection configured for an IP address, the device is in attack detection state. When the sending rate of SYN-ACK packets to the IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

You can configure SYN-ACK flood attack detection for multiple IP addresses in one attack defense policy.

Examples

# Configure SYN-ACK flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.

<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood detect ip 192.168.1.2 threshold 2000

Related commands

syn-ack-flood action

syn-ack-flood detect non-specific

syn-ack-flood threshold

prev

 

up

 next

syn-ack-flood action 

home

 syn-ack-flood detect non-specific

© Copyright 2018 Hewlett Packard Enterprise Development LP