No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Attack Defense

Example for Configuring Attack Defense

Networking Requirements

As shown in Figure 8-9, if a hacker on the LAN initiates malformed packet attacks, packet fragment attacks, and flood attacks to RouterA, RouterA may break down. The administrator intends to deploy attack defense measures on RouterA to provide a secure network environment and ensure normal services.

Figure 8-9  Networking of attack defense

Configuration Roadmap

The following configurations are performed on RouterA. The configuration roadmap is as follows:

  1. Enable defense against malformed packet attacks.

  2. Enable defense against packet fragment attacks.

  3. Enable defense against packet flood attacks.

Procedure

  1. Enable defense against malformed packet attacks.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] anti-attack abnormal enable
    

  2. Enable defense against packet fragment attacks and set the rate limit at which packet fragments are received to 15000 bit/s.

    [RouterA] anti-attack fragment enable
    [RouterA] anti-attack fragment car cir 15000

  3. Enable defense against flood attacks.

    # Enable defense against TCP SYN flood attacks and set the rate limit at which TCP SYN flood packets are received to 15000 bit/s.

    [RouterA] anti-attack tcp-syn enable
    [RouterA] anti-attack tcp-syn car cir 15000
    

    # Enable defense against UDP flood attacks to discard UDP packets sent from specified ports.

    [RouterA] anti-attack udp-flood enable

    # Enable defense against ICMP flood attacks and set the rate limit at which ICMP flood packets are received to 15000 bit/s.

    [RouterA] anti-attack icmp-flood enable
    [RouterA] anti-attack icmp-flood car cir 15000

  4. Verify the configuration.

    # After the configuration is complete, run the display anti-attack statistics command to view attack defense statistics.

    [RouterA] display anti-attack statistics
    Packets Statistic Information:                                                  
    ------------------------------------------------------------------------------- 
    AntiAtkType  TotalPacketNum        DropPacketNum         PassPacketNum          
                 (H)        (L)        (H)        (L)        (H)        (L)         
    ------------------------------------------------------------------------------- 
    Abnormal      0          0          0          0          0          0          
    Fragment      0          0          0          0          0          0          
    Tcp-syn       0          34         0          28         0          6        
    Udp-flood     0          0          0          0          0          0          
    Icmp-flood    0          0          0          0          0          0          
    ------------------------------------------------------------------------------- 

    RouterA has statistics on discarded TCP SYN packets, indicating that the attack defense function takes effect.

Configuration Files

RouterA configuration file

#
sysname RouterA
#
anti-attack fragment car cir 15000                                              
anti-attack tcp-syn car cir 15000                                               
anti-attack icmp-flood car cir 15000   
#
return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95788

Downloads: 58

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next