650
Syntax
syn-ack-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold
threshold-value ] [ action { client-verify | drop | logging } * ]
undo syn-ack-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
SYN-ACK flood attack detection is not configured for any IP address.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s.
ipv6 ipv6-address: Specifies the IPv6 address to be protected. The ipv6-address argument cannot be a
multicast address or all 0s.
vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the protected IP address
belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. Do not specify
this option if the protected IP address is on the public network.
threshold threshold-value: Sets the threshold for triggering SYN-ACK flood attack prevention. The value
range is 1 to 1000000 in units of SYN-ACK packets sent to the specified IP address per second.
action: Specifies the actions when a SYN-ACK flood attack is detected. If no action is specified, the
global actions set by the syn-ack-flood action command apply.
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client
verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SYN-ACK packets destined for the protected IP address.
logging: Enables logging for SYN-ACK flood attack events. The log information records the detection
interface, victim IP address, MPLS L3VPN instance name, current packet statistics, prevention action, and
start time of the attack.
Usage guidelines
You can configure SYN-ACK flood attack detection for multiple IP addresses in one attack defense policy.
With SYN-ACK flood attack detection configured, the device is in attack detection state. An attack occurs
when the device detects that the sending rate of SYN-ACK packets to a protected IP address reaches or
exceeds the threshold. The device enters prevention state and takes actions to protect the target IP
address. When the rate is below the silence threshold (three-fourths of the threshold), the device
considers that the threat is over and returns to the attack detection state.
Examples
# Configure SYN-ACK flood attack detection for 192.168.1.2 in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood detect ip 192.168.1.2
threshold 2000
To Next Page
Loading...
Need help?
General
