615
client-verify: Adds the victim IP addresses to the protected IP list for DNS client verification. If DNS client
verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent DNS packets destined for the protected IP address.
logging: Enables logging for DNS flood attack events. The log information records the detection
interface, victim IP address, MPLS L3VPN instance name, current packet statistics, prevention action, and
start time of the attack.
Usage guidelines
You can configure DNS flood attack detection for multiple IP addresses in one attack defense policy.
With DNS flood attack detection configured, the device is in attack detection state. An attack occurs
when the device detects that the sending rate of DNS packets to a protected IP address reaches or
exceeds the threshold. The device enters prevention state and takes actions to protect the target IP
address. When the rate is below the silence threshold (three-fourths of the threshold), the device
considers that the threat is over and returns to the attack detection state.
Examples
# Configure DNS flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] dns-flood detect ip 192.168.1.2 port 53
threshold 2000
Related commands
• dns-flood action
• dns-flood detect non-specific
• dns-flood threshold
• dns-flood port
dns-flood detect non-specific
Use dns-flood detect non-specific to enable DNS flood attack detection for non-specific IP addresses.
Use undo dns-flood detect non-specific to restore the default.
Syntax
dns-flood detect non-specific
undo dns-flood detect non-specific
Default
DNS flood attack detection is not enabled for non-specific IP addresses.
Views
Attack defense policy view
Predefined user roles
network-admin
To Next Page
Loading...
Need help?
General
