Configuring a single-packet attack defense policy

Apply the single-packet attack defense policy to the interface or security zone that is connected to the external network.

Single-packet attack detection inspects incoming packets based on the packet signature. If an attack packet is detected, the device can take the following actions:

• Output logs (the default action).

• Drop attack packets.

You can also configure the device to not take any actions.

1. Enter system view.

   system-view

2. Enter attack defense policy view.

   attack-defense policy policy-name

3. Configure signature detection for specific single-packet attack types, and specify the actions against the attacks.

   • Configure signature detection for well-known single-packet attacks, and specify the actions against the attacks.

     signature detect { fraggle | fragment | impossible | land | large-icmp | large-icmpv6 | smurf | snork | tcp-all-flags | tcp-fin-only | tcp-invalid-flags | tcp-null-flag | tcp-syn-fin | tiny-fragment | traceroute | udp-bomb | winnuke } [ action { { drop | logging } * | none } ]

     signature detect { ip-option-abnormal | ping-of-death | teardrop } action { drop | logging } *

   • Configure signature detection for ICMP packet attacks, and specify the actions against the attacks.

     signature detect icmp-type { icmp-type-value | address-mask-reply | address-mask-request | destination-unreachable | echo-reply | echo-request | information-reply | information-request | parameter-problem | redirect | source-quench | time-exceeded | timestamp-reply | timestamp-request } [ action { { drop | logging } * | none } ]

   • Configure signature detection for ICMPv6 packet attacks, and specify the actions against the attacks.

     signature detect icmpv6-type { icmpv6-type-value | destination-unreachable | echo-reply | echo-request | group-query | group-reduction | group-report | packet-too-big | parameter-problem | time-exceeded } [ action { { drop | logging } * | none } ]

   • Configure signature detection for IP option attacks, and specify the actions against the attacks.

     signature detect ip-option { option-code | internet-timestamp | loose-source-routing | record-route | route-alert | security | stream-id | strict-source-routing } [ action { { drop | logging } * | none } ]

   • Configure signature detection for IP abnormal option attacks, and specify the actions against the attacks.

     signature detect ipv6-ext-header-abnormal [ action { { drop | logging } * | none } ]

   By default, signature detection is not configured for single-packet attacks.

4. (Optional.) Set the maximum length of safe ICMP or ICMPv6 packets.

   signature { large-icmp | large-icmpv6 } max-length length

   By default, the maximum length of safe ICMP or ICMPv6 packets is 4000 bytes.

5. (Optional.) Specify the actions against single-packet attacks of a specific level.

   signature level { high | info | low | medium } action { { drop | logging } * | none }

   The default action is logging for single-packet attacks of the informational and low levels.

   The default actions are logging and drop for single-packet attacks of the medium and high levels.

6. (Optional.) Enable signature detection for single-packet attacks of a specific level.

   signature level { high | info | low | medium } detect

   By default, signature detection is disabled for all levels of single-packet attacks.