Interface-based attack detection and prevention configuration example
Network requirements
As shown in Figure 111, the device is the gateway for the internal network.
Configure an attack defense policy and apply the policy to GigabitEthernet 1/0/2 to meet the following requirements:
Provide low-level scanning attack detection for internal hosts and servers. If a scanning attack is detected, log the attack and keep the attacker on the blacklist for 10 minutes.
Protect internal hosts and servers against smurf attacks. If a smurf attack is detected, log the attack.
Protect the internal server against SYN flood attacks. If the number of SYN packets sent to the server per second reaches or exceeds 5000, log the attack and drop subsequent packets.
Figure 110: Network diagram
Configuration procedure
# Configure IP addresses for the interfaces on the device. (Details not shown.)
# Enable the global blacklist feature.
<Device> system-view [Device] blacklist global enable
# Create attack defense policy a1.
[Device] attack-defense policy a1
# Configure signature detection for smurf attacks, and specify logging as the prevention action.
[Device-attack-defense-policy-a1] signature detect smurf action logging
# Configure low-level scanning attack detection, specify logging and block-source as the prevention actions, and set the blacklist entry aging time to 10 minutes.
[Device-attack-defense-policy-a1] scan detect level low action logging block-source timeout 10
# Configure SYN flood attack detection for 10.1.1.2, set the attack prevention triggering threshold to 5000, and specify logging and drop as the prevention actions.
[Device-attack-defense-policy-a1] syn-flood detect ip 10.1.1.2 threshold 5000 action logging drop [Device-attack-defense-policy-a1] quit
# Apply attack defense policy a1 to GigabitEthernet 1/0/2.
[Device] interface gigabitethernet 1/0/2 [Device-GigabitEthernet1/0/2] attack-defense apply policy a1 [Device-GigabitEthernet1/0/2] quit
Verifying the configuration
# Verify that attack defense policy a1 is successfully configured.
[Device] display attack-defense policy a1
Attack-defense Policy Information
--------------------------------------------------------------------------
Policy name : a1
Applied list : GE1/0/2
--------------------------------------------------------------------------
Exempt IPv4 ACL : Not configured
Exempt IPv6 ACL : Not configured
--------------------------------------------------------------------------
Actions: BS-Block source L-Logging D-Drop N-None
Signature attack defense configuration:
Signature name Defense Level Actions
Fragment Disabled low L
Impossible Disabled medium L,D
Teardrop Disabled medium L,D
Tiny fragment Disabled low L
IP option abnormal Disabled medium L,D
Smurf Enabled medium L
Traceroute Disabled low L
Ping of death Disabled medium L,D
Large ICMP Disabled info L
Max length 4000 bytes
Large ICMPv6 Disabled info L
Max length 4000 bytes
TCP invalid flags Disabled medium L,D
TCP null flag Disabled medium L,D
TCP all flags Disabled medium L,D
TCP SYN-FIN flags Disabled medium L,D
TCP FIN only flag Disabled medium L,D
TCP Land Disabled medium L,D
Winnuke Disabled medium L,D
UDP Bomb Disabled medium L,D
UDP Snork Disabled medium L,D
UDP Fraggle Disabled medium L,D
IP option record route Disabled info L
IP option internet timestamp Disabled info L
IP option security Disabled info L
IP option loose source routing Disabled info L
IP option stream ID Disabled info L
IP option strict source routing Disabled info L
IP option route alert Disabled info L
ICMP echo request Disabled info L
ICMP echo reply Disabled info L
ICMP source quench Disabled info L
ICMP destination unreachable Disabled info L
ICMP redirect Disabled info L
ICMP time exceeded Disabled info L
ICMP parameter problem Disabled info L
ICMP timestamp request Disabled info L
ICMP timestamp reply Disabled info L
ICMP information request Disabled info L
ICMP information reply Disabled info L
ICMP address mask request Disabled info L
ICMP address mask reply Disabled info L
ICMPv6 echo request Disabled info L
ICMPv6 echo reply Disabled info L
ICMPv6 group membership query Disabled info L
ICMPv6 group membership report Disabled info L
ICMPv6 group membership reduction Disabled info L
ICMPv6 destination unreachable Disabled info L
ICMPv6 time exceeded Disabled info L
ICMPv6 parameter problem Disabled info L
ICMPv6 packet too big Disabled info L
Scan attack defense configuration:
Defense : Enabled
Level : low
Actions : L,BS(10)
Flood attack defense configuration:
Flood type Global thres(pps) Global actions Service ports Non-specific
SYN flood 1000(default) - - Disabled
ACK flood 1000(default) - - Disabled
SYN-ACK flood 1000(default) - - Disabled
RST flood 1000(default) - - Disabled
FIN flood 1000(default) - - Disabled
UDP flood 1000(default) - - Disabled
ICMP flood 1000(default) - - Disabled
ICMPv6 flood 1000(default) - - Disabled
DNS flood 1000(default) - 53 Disabled
HTTP flood 1000(default) - 80 Disabled
Flood attack defense for protected IP addresses:
Address VPN instance Flood type Thres(pps) Actions Ports
10.1.1.2 -- SYN-FLOOD 5000 L,D -
# Verify that the attack detection and prevention takes effect on GigabitEthernet 1/0/2.
[Device] display attack-defense statistics interface gigabitethernet 1/0/2 Attack policy name: a1 Scan attack defense statistics: AttackType AttackTimes Dropped Port scan 2 0 IP sweep 3 0 Distribute port scan 1 0 Flood attack defense statistics: AttackType AttackTimes Dropped SYN flood 1 5000 Signature attack defense statistics: AttackType AttackTimes Dropped Smurf 1 0
# Verify that the IPv4 blacklist feature collaborates with the scanning attack detection.
[Device] display blacklist ip IP address VPN instance DS-Lite tunnel peer Type TTL(sec) Dropped 5.5.5.5 -- -- Dynamic 600 353452