917
Default
IP address-specific SYN-ACK flood attack detection is not configured.
Views
Attack defense policy view
Predefined user roles
network-admin
Parameters
ip
ipv4-address
: Specifies the IPv4 address to be protected. The
ipv4-address
argument cannot be
255.255.255.255 or 0.0.0.0.
ipv6
ipv6-address
: Specifies the IPv6 address to be protected.
vpn-instance vpn-instance-name
: Specifies the MPLS L3VPN instance to which the protected IP
address belongs. The
vpn-instance-name
argument is a case-sensitive string of 1 to 31 characters.
Do not specify this option if the protected IP address is on the public network.
threshold
threshold-value
: Specifies the threshold for triggering SYN-ACK flood attack prevention.
The value range is 1 to 1000000 in units of SYN-ACK packets sent to the specified IP address per
second.
action
: Specifies the actions when a SYN-ACK flood attack is detected. If no action is specified, the
global actions set by the
syn-ack-flood action
command apply.
client-verify
: Adds the victim IP addresses to the protected IP list for TCP client verification. If TCP
client verification is enabled, the device provides proxy services for protected servers.
drop
: Drops subsequent SYN-ACK packets destined for the protected IP address.
logging
: Enables logging for SYN-ACK flood attack events.
none
: Takes no action.
Usage guidelines
With SYN-ACK flood attack detection configured for an IP address, the device is in attack detection
state. When the sending rate of SYN-ACK packets to the IP address reaches the threshold, the
device enters prevention state and takes the specified actions. When the rate is below the silence
threshold (three-fourths of the threshold), the device returns to the attack detection state.
Examples
# Configure SYN-ACK flood attack detection for 192.168.1.2 in the attack defense policy
atk-policy-1
.
<Sysname> system-view
[Sysname] attack-defense policy atk-policy-1
[Sysname-attack-defense-policy-atk-policy-1] syn-ack-flood detect ip 192.168.1.2
threshold 2000
Related commands
syn-ack-flood action
syn-ack-flood detect non-specific
syn-ack-flood threshold
syn-ack-flood detect non-specific
Use
syn-ack-flood detect non-specific
to enable global SYN-ACK flood attack detection.
Use
undo syn-ack-flood detect non-specific
to disable global SYN-ACK flood attack detection.
Summary of Contents for FlexNetwork MSR Series
Page 1005: ...987 ...