No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Attack Defense

Example for Configuring Attack Defense

Networking Requirements

As shown in Figure 5-9, if a hacker on the LAN initiates malformed packet attacks, packet fragment attacks, and flood attacks to SwitchA, SwitchA may break down. The administrator intends to deploy attack defense measures on SwitchA to provide a secure network environment and ensure normal services.

Figure 5-9  Networking of attack defense

Configuration Roadmap

The following configurations are performed on SwitchA. The configuration roadmap is as follows:

  1. Enable defense against malformed packet attacks.

  2. Enable defense against packet fragment attacks.

  3. Enable defense against packet flood attacks.

Procedure

  1. Enable defense against malformed packet attacks.

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] anti-attack abnormal enable
    

  2. Enable defense against packet fragment attacks and set the rate limit at which packet fragments are received to 15000 bit/s.

    [SwitchA] anti-attack fragment enable
    [SwitchA] anti-attack fragment car cir 15000

  3. Enable defense against flood attacks.

    # Enable defense against TCP SYN flood attacks and set the rate limit at which TCP SYN flood packets are received to 15000 bit/s.

    [SwitchA] anti-attack tcp-syn enable
    [SwitchA] anti-attack tcp-syn car cir 15000
    

    # Enable defense against UDP flood attacks to discard UDP packets sent from specified ports.

    [SwitchA] anti-attack udp-flood enable

    # Enable defense against ICMP flood attacks and set the rate limit at which ICMP flood packets are received to 15000 bit/s.

    [SwitchA] anti-attack icmp-flood enable
    [SwitchA] anti-attack icmp-flood car cir 15000

  4. Verify the configuration.

    # After the configuration is complete, run the display anti-attack statistics command to view attack defense statistics.

    [SwitchA] display anti-attack statistics
    Packets Statistic Information:                                                  
    ------------------------------------------------------------------------------- 
    AntiAtkType  TotalPacketNum        DropPacketNum         PassPacketNum          
                 (H)        (L)        (H)        (L)        (H)        (L)         
    ------------------------------------------------------------------------------- 
    URPF          0          0          0          0          0          0
    Abnormal      0          0          0          0          0          0
    Fragment      0          0          0          0          0          0
    Tcp-syn       0          34         0          28         0          6
    Udp-flood     0          0          0          0          0          0
    Icmp-flood    0          0          0          0          0          0
    ------------------------------------------------------------------------------- 

    SwitchA has statistics on discarded TCP SYN packets, indicating that the attack defense function takes effect.

Configuration Files

SwitchA configuration file

#
sysname SwitchA
#                                                                               
anti-attack fragment car cir 15000                                              
anti-attack tcp-syn car cir 15000                                               
anti-attack icmp-flood car cir 15000   
#
return
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 136976

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next