No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Attack Defense Configuration Commands

Attack Defense Configuration Commands

anti-attack abnormal enable

Function

The anti-attack abnormal enable command enables defense against malformed packet attacks.

The undo anti-attack abnormal enable command disables defense against malformed packet attacks.

The anti-attack abnormal disable command disables defense against malformed packet attacks.

By default, defense against malformed packet attacks is enabled.

Format

anti-attack abnormal enable

undo anti-attack abnormal enable

anti-attack abnormal disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The malformed packet attack is to send malformed IP packets to the system. If such an attack occurs, the system may break down when processing the malformed IP packets. To prevent the system from breaking down and to ensure normal network services, run the anti-attack abnormal enable command to enable defense against malformed packets.

The device detects malformed packets after defense against malformed packets is enabled.

The device directly discards packets of the following types:

  • Flood attacks from IP null payload packets

  • Attacks from IGMP null payload packets

  • LAND attacks

  • Smurf attacks

  • Attacks from packets with invalid TCP flag bits

Precautions

You can also run the anti-attack enable command in the system view to enable attack defense against all attack packets including malformed packets.

Example

# Enable defense against malformed packet attacks.

<Huawei> system-view
[Huawei] anti-attack abnormal enable
Related Topics

anti-attack enable

Function

The anti-attack enable command enables defense against all attack packets.

The undo anti-attack enable command disables defense against all attack packets.

The anti-attack disable command disables defense against all attack packets.

By default, defense against all attack packets is enabled.

Format

anti-attack enable

undo anti-attack enable

anti-attack disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Different types of attacks on a network cause high device usage or system breakdown, affecting network services. To prevent the system from breaking down and to ensure normal network services, run the anti-attack enable command to enable defense against all attack packets.

Precautions

Running the anti-attack enable command is equivalent to running all of the following commands:

Example

# Enable defense against all attack packets.

<Huawei> system-view
[Huawei] anti-attack enable

anti-attack fragment enable

Function

The anti-attack fragment enable command enables defense against packet fragment attacks.

The undo anti-attack fragment enable command disables defense against packet fragment attacks.

The anti-attack fragment disable command disables defense against packet fragment attacks.

By default, defense against packet fragment attacks is enabled.

Format

anti-attack fragment enable

undo anti-attack fragment enable

anti-attack fragment disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker sends error packet fragments to a device, the device consumes a large number of resources to process the error packet fragments, affecting normal services. To prevent the system from breaking down and to ensure normal network services, run the anti-attack fragment enable command to enable defense against packet fragment attacks.

The device detects error packet fragments after defense against error packet fragments is enabled. If the device detects error packet fragments, the device limits the rate of these fragments to ensure that the device CPU works properly.

Precautions

You can also run the anti-attack enable command in the system view to enable attack defense against all attack packets including packet fragments.

Example

# Enable defense against packet fragment attacks.

<Huawei> system-view
[Huawei] anti-attack fragment enable
Related Topics

anti-attack fragment car

Function

The anti-attack fragment car command sets the rate limit of packet fragments.

The undo anti-attack fragment car command restores the rate limit of packet fragments.

By default, the rate limit of packet fragments is 155000000 bit/s.

Format

anti-attack fragment car cir cir

undo anti-attack fragment car

Parameters

Parameter

Description

Value

cir cir

Specifies the committed information rate (CIR) of packet fragments.

The value is an integer that ranges from 8000 to 155000000, in bit/s.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After defense against packet fragment attacks is enabled, run the anti-attack fragment car command to set the rate limit of packet fragments. If the rate of received packet fragments exceeds the rate limit, the device discards excess packet fragments to ensure that the device CPU works properly.

Prerequisites

Defense against packet fragment attacks has been enabled using the anti-attack fragment enable command.

Example

# Set the rate limit of packet fragments to 8000 bit/s.

<Huawei> system-view
[Huawei] anti-attack fragment enable
[Huawei] anti-attack fragment car cir 8000

anti-attack icmp-flood enable

Function

The anti-attack icmp-flood enable command enables defense against ICMP flood attacks.

The undo anti-attack icmp-flood enable command disables defense against ICMP flood attacks.

The anti-attack icmp-flood disable command disables defense against ICMP flood attacks.

By default, defense against ICMP flood attacks is enabled.

Format

anti-attack icmp-flood enable

undo anti-attack icmp-flood enable

anti-attack icmp-flood disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker sends a large number of ICMP request packets to the target host in a short time, the target host is busy with these ICMP request packets. As a result, the target host is overloaded and cannot process normal services. To prevent ICMP flood attacks, run the anti-attack icmp-flood enable command to enable defense against ICMP flood attacks.

The device detects ICMP flood attack packets after defense against ICMP flood attacks is enabled. If the device detects ICMP flood attack packets, the device limits the rate of these ICMP flood attack packets to ensure that the device CPU works properly.

Precautions

You can also run the anti-attack enable command in the system view to enable attack defense against all attack packets including ICMP flood attack packets.

Example

# Enable defense against ICMP flood attacks.

<Huawei> system-view
[Huawei] anti-attack icmp-flood enable

anti-attack icmp-flood car

Function

The anti-attack icmp-flood car command sets the rate limit of ICMP flood attack packets.

The undo anti-attack icmp-flood car command restores the default rate limit of ICMP flood attack packets.

By default, the rate limit of ICMP flood attack packets is 155000000 bit/s.

Format

anti-attack icmp-flood car cir cir

undo anti-attack icmp-flood car

Parameters

Parameter

Description

Value

cir cir

Specifies the committed information rate (CIR) of ICMP flood attack packets.

The value is an integer that ranges from 8000 to 155000000, in bit/s.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After defense against ICMP flood attacks is enabled, run the anti-attack icmp-flood car command to set the rate limit of ICMP flood attack packets. If the rate of received ICMP flood attack packets exceeds the rate limit, the device discards excess ICMP flood attack packets to ensure that its CPU works properly.

Prerequisites

Defense against ICMP flood attacks has been enabled using the anti-attack icmp-flood enable command.

Example

# Set the rate limit of ICMP flood attack packets to 8000 bit/s.

<Huawei> system-view
[Huawei] anti-attack icmp-flood enable
[Huawei] anti-attack icmp-flood car cir 8000

anti-attack tcp-syn enable

Function

The anti-attack tcp-syn enable command enables defense against TCP SYN flood attacks.

The undo anti-attack tcp-syn enable command disables defense against TCP SYN flood attacks.

The anti-attack tcp-syn disable command disables defense against TCP SYN flood attacks.

By default, defense against TCP SYN flood attacks is enabled.

Format

anti-attack tcp-syn enable

undo anti-attack tcp-syn enable

anti-attack tcp-syn disable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An attacker sends a SYN packet to a target host to initiate a TCP connection but does not respond to the SYN-ACK sent from the target host. If the target host receives no ACK packet from the attacker, it keeps waiting for the ACK packet. A half-open connection is formed. The attacker keeps sending SYN packets, so many half-open connections are set up on the target host. This wastes a large number of resources. To prevent TCP SYN flood attacks, run the anti-attack tcp-syn enable command to enable defense against TCP SYN flood attacks.

The device detects TCP SYN flood attack packets after defense against TCP SYN flood attacks is enabled. If the device detects TCP SYN flood attack packets, the device limits the rate of these TCP SYN flood attack packets to ensure that the device CPU works properly.

Precautions

You can also run the anti-attack enable command in the system view to enable attack defense against all attack packets including TCP SYN flood attack packets.

Example

# Enable defense against TCP SYN flood attacks.

<Huawei> system-view
[Huawei] anti-attack tcp-syn enable

anti-attack tcp-syn car

Function

The anti-attack tcp-syn car command sets the rate limit at which TCP SYN packets are received.

The undo anti-attack tcp-syn car command restores the default rate limit at which TCP SYN packets are received.

By default, the rate limit at which TCP SYN packets are received is 155000000 bit/s.

Format

anti-attack tcp-syn car cir cir

undo anti-attack tcp-syn car

Parameters

Parameter

Description

Value

cir cir

Specifies the committed information rate (CIR) at which TCP SYN packets are received.

The value is an integer that ranges from 8000 to 155000000, in bit/s.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After defense against TCP SYN flood attacks is enabled, run the anti-attack tcp-syn car command to set the rate limit at which TCP SYN packets are received. If the rate of received TCP SYN attack packets exceeds the rate limit, the device discards excess TCP SYN flood attack packets to ensure that the device CPU works properly.

Prerequisites

Defense against TCP SYN flood attacks has been enabled using the anti-attack tcp-syn enable command.

Example

# Set the rate limit at which TCP SYN packets are received to 8000 bit/s.

<Huawei> system-view
[Huawei] anti-attack tcp-syn enable
[Huawei] anti-attack tcp-syn car cir 8000

anti-attack udp-flood enable

Function

The anti-attack udp-flood enable command enables defense against UDP flood attacks.

The undo anti-attack udp-flood enable command disables defense against UDP flood attacks.

By default, defense against UDP flood attacks is enabled.

Format

anti-attack udp-flood enable

undo anti-attack udp-flood enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an attacker sends a large number of UDP packets to the target host in a short time, the target host is busy with these UDP packets. As a result, the target host is overloaded and cannot process normal services. To prevent UDP flood attacks, run the anti-attack udp-flood enable command to enable defense against UDP flood attacks.

The device detects UDP flood attack packets after defense against UDP flood attacks is enabled. The device directly discards UDP flood attack packets.

Precautions

You can also run the anti-attack enable command in the system view to enable attack defense against all attack packets including UDP flood attack packets.

Example

# Enable defense against UDP flood attacks.

<Huawei> system-view
[Huawei] anti-attack udp-flood enable
Related Topics

anti-attack urpf

Function

The anti-attack urpf command enables URPF.

The undo anti-attack urpf command disables URPF.

By default, URPF is disabled.

Format

anti-attack urpf { loose | strict } [ allow-default-route ] [ acl acl-number ]

undo anti-attack urpf

Parameters

Parameter Description Value
loose Indicates URPF loose check. -
strict Indicates URPF strict check. -
allow-default-route Allows special processing of default routes. -
acl acl-number Specifies the ACL number. The number is an integer ranging from 2000 to 3999. For the basic ACL, the number ranges from 2000 to 2999; for the advanced ACL, the number ranges from 3000 to 3999.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

To ensure that the packets pass the URPF check when the forwarding table contains the related entries even if the interface that actually receives the packets does not match the outbound interface in the forwarding table, set the URPF check mode to loose. To ensure that the packets pass the URPF check only when the forwarding table contains related entries and the interface actually receives the packets matches the outbound interface in the forwarding table, set the URPF check mode to strict.

Example

# Create ACL 2999, enable strict URPF check, and configure the device to allow special processing of default routes.

<Huawei> system-view
[Huawei] anti-attack urpf strict allow-default-route acl 2999

display anti-attack statistics

Function

The display anti-attack statistics command displays statistics about attack packets of a specified type.

If no parameter is specified, the display anti-attack statistics command displays statistics about attack packets of all types.

Format

display anti-attack statistics [ abnormal | fragment | tcp-syn | udp-flood | icmp-flood | urpf ]

Parameters

Parameter

Description

Value

abnormal

Displays statistics about malformed packets.

-

fragment

Displays statistics about defense against packet fragments.

-

tcp-syn

Displays statistics about defense against TCP SYN flood attacks.

-

udp-flood

Displays statistics about defense against UDP flood attacks.

-

icmp-flood

Displays statistics about defense against ICMP flood attacks.

-

urpf

Displays the statistics about URPF check.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display anti-attack statistics command displays statistics on attack packets of the following types: malformed packet attack, packet fragment attack, TCP SYN flood attack, UDP flood attack, ICMP flood attack.

Example

# Display attack defense statistics.

<Huawei> display anti-attack statistics
Packets Statistic Information:                                                  
------------------------------------------------------------------------------- 
AntiAtkType  TotalPacketNum        DropPacketNum         PassPacketNum          
             (H)        (L)        (H)        (L)        (H)        (L)         
------------------------------------------------------------------------------- 
URPF          0          1088       0          0          0          1088 
Abnormal      0          0          0          0          0          0          
Fragment      0          0          0          0          0          0          
Tcp-syn       0          58         0          0          0          58         
Udp-flood     0          0          0          0          0          0          
Icmp-flood    0          0          0          0          0          0          
------------------------------------------------------------------------------- 
Table 14-90  Description of the display anti-attack statistics command output

Item

Description

AntiAtkType

Attack defense type:

  • URPF: URPF check

  • Abnormal: defense against malformed packets

  • Fragment: defense against packet fragments

  • Tcp-syn: defense against TCP SYN flood attacks

  • Udp-flood: defense against UDP flood attacks

  • Icmp-flood: defense against ICMP flood attacks

TotalPacketNum

Total number of packets.

DropPacketNum

Number of discarded packets.

PassPacketNum

Number of forwarded packets.

(H)

Highest-order bit display.

(L)

Lowest-order bit display.

reset anti-attack statistics

Function

The reset anti-attack statistics command clears attack defense statistics.

Format

reset anti-attack statistics [ abnormal | fragment | tcp-syn | udp-flood | icmp-flood | urpf ]

Parameters

Parameter

Description

Value

abnormal

Clears statistics about defense against malformed packets.

-

fragment

Clears statistics about defense against packet fragments.

-

tcp-syn

Clears statistics about defense against TCP SYN flood attacks.

-

udp-flood

Clears statistics about defense against UDP flood attacks.

-

icmp-flood

Clears statistics about defense against ICMP flood attacks.

-

urpf

Clears statistics about URPF check.

-

Views

All views

Default Level

2: Configuration level

Usage Guidelines

If no attack defense is specified, statistics about all types of attack defense are cleared.

The cleared statistics cannot be restored. Exercise caution when you use the command.

Example

# Clear statistics about defense against malformed packets.

<Huawei> reset anti-attack statistics abnormal
Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 35173

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next