Example: Applying an attack defense policy to the device

Network requirements

Configure attack detection and prevention on the switch (the gateway) to protect against network attacks from the user side or the network side.

Figure 148: Network diagram

Configuration procedure

# Create an attack defense policy named a1.

[Switch] attack-defense policy a1

# Enable signature detection for TCP single packet attacks and specify logging as the attack prevention action. A TCP packet is identified as an attack packet if it has all flags set, only FIN flag set, invalid flags, no TCP flags set, or both SYN and FIN flags set.

[Switch-attack-defense-policy-a1] signature detect tcp-all-flags action logging
[Switch-attack-defense-policy-a1] signature detect tcp-fin-only action logging
[Switch-attack-defense-policy-a1] signature detect tcp-invalid-flags action logging
[Switch-attack-defense-policy-a1] signature detect tcp-null-flag action logging
[Switch-attack-defense-policy-a1] signature detect tcp-syn-fin action logging

# Enable low level scanning attack detection and specify logging as the attack prevention action.

[Router-attack-defense-policy-a1] scan detect level low action logging

# Enable SYN flood attack detection for 192.168.2.1. Set the threshold for triggering SYN flood attack prevention to 5000 and specify logging and drop as the attack prevention actions.

[Switch-attack-defense-policy-a1] syn-flood detect ip 192.168.2.1 threshold 5000 action logging drop

# Enable global SYN flood attack detection, set the global threshold for triggering SYN flood attack prevention to 2000, and specify logging as the global attack prevention action.

[Switch-attack-defense-policy-a1] syn-flood detect non-specific
[Switch-attack-defense-policy-a1] syn-flood threshold 2000
[Switch-attack-defense-policy-a1] syn-flood action logging
[Switch-attack-defense-policy-a1] quit

# Apply the attack defense policy to the device.

[Switch] attack-defense local apply policy a1

Verifying the configuration

# Verify that attack defense policy a1 is correctly configured.

[Switch] display attack-defense policy a1
          Attack-defense Policy Information
--------------------------------------------------------------------------
Policy name                        : a1
Applied list                       : Local
--------------------------------------------------------------------------
Exempt IPv4 ACL                    : Not configured
Exempt IPv6 ACL                    : Not configured
--------------------------------------------------------------------------
  Actions: CV-Client verify  BS-Block source  L-Logging  D-Drop  N-None

Signature attack defense configuration:
Signature name                     Defense      Level             Actions
Fragment                           Disabled     low               L
Impossible                         Disabled     medium            L,D
Teardrop                           Disabled     medium            L,D
Tiny fragment                      Disabled     low               L
IP option abnormal                 Disabled     medium            L,D
Smurf                              Enabled      medium            L,D
Traceroute                         Disabled     low               L
Ping of death                      Disabled     medium            L,D
Large ICMP                         Disabled     info              L
  Max length                       4000 bytes
Large ICMPv6                       Disabled     info              L
  Max length                       4000 bytes
TCP invalid flags                  Disabled     medium            L
TCP null flag                      Disabled     medium            L
TCP all flags                      Disabled     medium            L
TCP SYN-FIN flags                  Disabled     medium            L
TCP FIN only flag                  Disabled     medium            L
TCP Land                           Disabled     medium            L,D
Winnuke                            Disabled     medium            L,D
UDP Bomb                           Disabled     medium            L,D
UDP Snork                          Disabled     medium            L,D
UDP Fraggle                        Disabled     medium            L,D
IP option record route             Disabled     info              L
IP option internet timestamp       Disabled     info              L
IP option security                 Disabled     info              L
IP option loose source routing     Disabled     info              L
IP option stream ID                Disabled     info              L
IP option strict source routing    Disabled     info              L
IP option route alert              Disabled     info              L
ICMP echo request                  Disabled     info              L
ICMP echo reply                    Disabled     info              L
ICMP source quench                 Disabled     info              L
ICMP destination unreachable       Disabled     info              L
ICMP redirect                      Disabled     info              L
ICMP time exceeded                 Disabled     info              L
ICMP parameter problem             Disabled     info              L
ICMP timestamp request             Disabled     info              L
ICMP timestamp reply               Disabled     info              L
ICMP information request           Disabled     info              L
ICMP information reply             Disabled     info              L
ICMP address mask request          Disabled     info              L
ICMP address mask reply            Disabled     info              L
ICMPv6 echo request                Disabled     info              L
ICMPv6 echo reply                  Disabled     info              L
ICMPv6 group membership query      Disabled     info              L
ICMPv6 group membership report     Disabled     info              L
ICMPv6 group membership reduction  Disabled     info              L
ICMPv6 destination unreachable     Disabled     info              L
ICMPv6 time exceeded               Disabled     info              L
ICMPv6 parameter problem           Disabled     info              L
ICMPv6 packet too big              Disabled     info              L

Scan attack defense configuration:
 Defense : Enabled
 Level   : low
 Actions : L

Flood attack defense configuration:
Flood type      Global thres(pps)  Global actions  Service ports   Non-specific
SYN flood       2000               L               -               Enabled
ACK flood       1000(default)      -               -               Disabled
SYN-ACK flood   1000(default)      -               -               Disabled
RST flood       1000(default)      -               -               Disabled
FIN flood       1000(default)      -               -               Disabled
UDP flood       1000(default)      -               -               Disabled
ICMP flood      1000(default)      -               -               Disabled
ICMPv6 flood    1000(default)      -               -               Disabled
DNS flood       1000(default)      -               53              Disabled
HTTP flood      1000(default)      -               80              Disabled

Flood attack defense for protected IP addresses:
 Address                 VPN instance Flood type    Thres(pps) Actions Ports
 192.168.2.1             --           SYN-FLOOD     5000       L,D     -

If the device receives TCP flag attack packets or scanning attack packets that are destined for the device, the device outputs logs. If the device receives TCP SYN flood attack packets that are destined for the protected IP address, the device outputs logs and drops the attack packets. If the device receives TCP SYN flood attack packets that are destined for the device but not to the protected IP address, the device outputs logs.

# Display the attack detection and prevention statistics.

[Switch] display attack-defense statistics local
Attack policy name: a1
Slot 1:
Scan attack defense statistics:
 AttackType                          AttackTimes Dropped
 Port scan                           4           0
Flood attack defense statistics:
 AttackType                          AttackTimes Dropped
 No flood attacks detected.
Signature attack defense statistics:
 AttackType                          AttackTimes Dropped
 TCP invalid flags                   116         0
 TCP null flag                       709         0
 TCP all flags                       251         0
 TCP SYN-FIN flags                   46          0
 TCP FIN only flag                   130         0