Configuring a flood attack defense policy

About flood attack detection and prevention

Apply a flood attack defense policy to the interface or security zone that is connected to the external network to protect internal servers.

Flood attack detection monitors the rate at which connections are initiated to the internal servers.

With flood attack detection enabled, the device is in attack detection state. When the packet sending rate to an IP address reaches the threshold, the device enters prevention state and takes the specified actions. When the rate is below the silence threshold (three-fourths of the threshold), the device returns to the attack detection state.

Restrictions and guidelines for flood attack detection and prevention

If a device has multiple service cards, the global trigger threshold you set takes effect on each service card. The global trigger threshold of the device is the product of multiplying the value you set by the service card quantity.

You can configure flood attack detection and prevention for a specific IP address. For non-specific IP addresses, the device uses the global attack prevention settings.

Configuring a SYN flood attack defense policy

  1. Enter system view.

    system-view

  2. Enter attack defense policy view.

    attack-defense policy policy-name

  3. Enable global SYN flood attack detection.

    syn-flood detect non-specific

    By default, global SYN flood attack detection is disabled.

  4. Set the global trigger threshold for SYN flood attack prevention.

    syn-flood threshold threshold-value

    The default setting is 1000.

  5. Specify global actions against SYN flood attacks.

    syn-flood action { drop | logging } *

    By default, no global action is specified for SYN flood attacks.

  6. Configure IP address-specific SYN flood attack detection.

    syn-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

    By default, IP address-specific SYN flood attack detection is not configured.

Configuring an ACK flood attack defense policy

  1. Enter system view.

    system-view

  2. Enter attack defense policy view.

    attack-defense policy policy-name

  3. Enable global ACK flood attack detection.

    ack-flood detect non-specific

    By default, global ACK flood attack detection is disabled.

  4. Set the global trigger threshold for ACK flood attack prevention.

    ack-flood threshold threshold-value

    The default setting is 1000.

  5. Specify global actions against ACK flood attacks.

    ack-flood action { drop | logging } *

    By default, no global action is specified for ACK flood attacks.

  6. Configure IP address-specific ACK flood attack detection.

    ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

    By default, IP address-specific ACK flood attack detection is not configured.

Configuring a SYN-ACK flood attack defense policy

  1. Enter system view.

    system-view

  2. Enter attack defense policy view.

    attack-defense policy policy-name

  3. Enable global SYN-ACK flood attack detection.

    syn-ack-flood detect non-specific

    By default, global SYN-ACK flood attack detection is disabled.

  4. Set the global trigger threshold for SYN-ACK flood attack prevention.

    syn-ack-flood threshold threshold-value

    The default setting is 1000.

  5. Specify global actions against SYN-ACK flood attacks.

    syn-ack-flood action { drop | logging }*

    By default, no global action is specified for SYN-ACK flood attacks.

  6. Configure IP address-specific SYN-ACK flood attack detection.

    syn-ack-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

    By default, IP address-specific SYN-ACK flood attack detection is not configured.

Configuring a FIN flood attack defense policy

  1. Enter system view.

    system-view

  2. Enter attack defense policy view.

    attack-defense policy policy-name

  3. Enable global FIN flood attack detection.

    fin-flood detect non-specific

    By default, global FIN flood attack detection is disabled.

  4. Set the global trigger threshold for FIN flood attack prevention.

    fin-flood threshold threshold-value

    The default setting is 1000.

  5. Specify global actions against FIN flood attacks.

    fin-flood action { drop | logging } *

    By default, no global action is specified for FIN flood attacks.

  6. Configure IP address-specific FIN flood attack detection.

    fin-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

    By default, IP address-specific FIN flood attack detection is not configured.

Configuring an RST flood attack defense policy

  1. Enter system view.

    system-view

  2. Enter attack defense policy view.

    attack-defense policy policy-name

  3. Enable global RST flood attack detection.

    rst-flood detect non-specific

    By default, global RST flood attack detection is disabled.

  4. Set the global trigger threshold for RST flood attack prevention.

    rst-flood threshold threshold-value

    The default setting is 1000.

  5. Specify global actions against RST flood attacks.

    rst-flood action { drop | logging } *

    By default, no global action is specified for RST flood attacks.

  6. Configure IP address-specific RST flood attack detection.

    rst-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

    By default, IP address-specific RST flood attack detection is not configured.

Configuring an ICMP flood attack defense policy

  1. Enter system view.

    system-view

  2. Enter attack defense policy view.

    attack-defense policy policy-name

  3. Enable global ICMP flood attack detection.

    icmp-flood detect non-specific

    By default, global ICMP flood attack detection is disabled.

  4. Set the global trigger threshold for ICMP flood attack prevention.

    icmp-flood threshold threshold-value

    The default setting is 1000.

  5. Specify global actions against ICMP flood attacks.

    icmp-flood action { drop | logging } *

    By default, no global action is specified for ICMP flood attacks.

  6. Configure IP address-specific ICMP flood attack detection.

    icmp-flood detect ip ip-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

    By default, IP address-specific ICMP flood attack detection is not configured.

Configuring an ICMPv6 flood attack defense policy

  1. Enter system view.

    system-view

  2. Enter attack defense policy view.

    attack-defense policy policy-name

  3. Enable global ICMPv6 flood attack detection.

    icmpv6-flood detect non-specific

    By default, global ICMPv6 flood attack detection is disabled.

  4. Set the global trigger threshold for ICMPv6 flood attack prevention.

    icmpv6-flood threshold threshold-value

    The default setting is 1000.

  5. Specify global actions against ICMPv6 flood attacks.

    icmpv6-flood action { drop | logging } *

    By default, no global action is specified for ICMPv6 flood attacks.

  6. Configure IP address-specific ICMPv6 flood attack detection.

    icmpv6-flood detect ipv6 ipv6-address [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

    By default, IP address-specific ICMPv6 flood attack detection is not configured.

Configuring a UDP flood attack defense policy

  1. Enter system view.

    system-view

  2. Enter attack defense policy view.

    attack-defense policy policy-name

  3. Enable global UDP flood attack detection.

    udp-flood detect non-specific

    By default, global UDP flood attack detection is disabled.

  4. Set the global trigger threshold for UDP flood attack prevention.

    udp-flood threshold threshold-value

    The default setting is 1000.

  5. Specify global actions against UDP flood attacks.

    udp-flood action { drop | logging } *

    By default, no global action is specified for UDP flood attacks.

  6. Configure IP address-specific UDP flood attack detection.

    udp-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

    By default, IP address-specific UDP flood attack detection is not configured.

Configuring a DNS flood attack defense policy

  1. Enter system view.

    system-view

  2. Enter attack defense policy view.

    attack-defense policy policy-name

  3. Enable global DNS flood attack detection.

    dns-flood detect non-specific

    By default, global DNS flood attack detection is disabled.

  4. Set the global trigger threshold for DNS flood attack prevention.

    dns-flood threshold threshold-value

    The default setting is 1000.

  5. (Optional.) Specify the global ports to be protected against DNS flood attacks.

    dns-flood port port-list

    By default, DNS flood attack prevention protects port 53.

  6. Specify global actions against DNS flood attacks.

    dns-flood action { drop | logging } *

    By default, no global action is specified for DNS flood attacks.

  7. Configure IP address-specific DNS flood attack detection.

    dns-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

    By default, IP address-specific DNS flood attack detection is not configured.

Configuring an HTTP flood attack defense policy

  1. Enter system view.

    system-view

  2. Enter attack defense policy view.

    attack-defense policy policy-name

  3. Enable global HTTP flood attack detection.

    http-flood detect non-specific

    By default, global HTTP flood attack detection is disabled.

  4. Set the global trigger threshold for HTTP flood attack prevention.

    http-flood threshold threshold-value

    The default setting is 1000.

  5. (Optional.) Specify the global ports to be protected against HTTP flood attacks.

    http-flood port port-list

    By default, HTTP flood attack prevention protects port 80.

  6. Specify global actions against HTTP flood attacks.

    http-flood action { drop | logging } *

    By default, no global action is specified for HTTP flood attacks.

  7. Configure IP address-specific HTTP flood attack detection.

    http-flood detect { ip ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-list ] [ threshold threshold-value ] [ action { { drop | logging } * | none } ]

    By default, IP address-specific HTTP flood attack detection is not configured.