653
Predefined user roles
network-admin
Parameters
client-verify: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP client
verification is enabled, the device provides proxy services for protected servers.
drop: Drops subsequent SYN packets destined for the victim IP addresses.
logging: Enables logging for SYN flood attack events. The log information records the detection interface,
victim IP address, MPLS L3VPN instance name, current packet statistics, prevention actions, and start time
of the attack.
Usage guidelines
To configure the SYN flood attack detection to collaborate with the TCP client verification, make sure the
client-verify keyword is specified and the TCP client verification is enabled. To enable TCP client
verification, use the client-verify tcp enable command.
Examples
# Specify drop as the global action against SYN flood attacks in attack defense policy atk-policy-1.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-flood action drop
Related commands
• syn-flood detect
• syn-flood detect non-specific
• syn-flood threshold
syn-flood detect
Use syn-flood detect to configure IP-specific SYN flood attack detection.
Use undo syn-flood detect to remove the SYN flood attack detection configuration for an IP address.
Syntax
syn-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold
threshold-value ] [ action { client-verify | drop | logging } * ]
undo syn-flood detect { ip ip-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ]
Default
SYN flood attack detection is not configured for any IP address.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip ip-address: Specifies the IPv4 address to be protected. The ip-address argument cannot be all 1s or 0s.
To Next Page
Loading...
Need help?
General
