462
Configuring an HTTP flood attack defense policy
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter attack defense policy
view.
attack-defense policy
policy-name
N/A
3.
Enable global HTTP flood
attack detection.
http-flood detect non-specific
By default, global HTTP flood attack
detection is disabled.
4.
Set the global trigger
threshold for HTTP flood
attack prevention.
http-flood threshold
threshold-value
The default setting is 1000.
5.
(Optional.) Specify the
global ports to be protected
against HTTP flood attacks.
http-flood port port-list
By default, HTTP flood attack
prevention protects port 80.
6.
Specify global actions
against HTTP flood attacks.
http-flood action
{
drop
|
logging
} *
By default, no global action is
specified for HTTP flood attacks.
7.
Configure IP
address-specific HTTP
flood attack detection.
http-flood
detect
{
ip ip-address
|
ipv6 ipv6-address
}
[
vpn-instance
vpn-instance-name
] [
port
port-list
] [
threshold
threshold-value
] [
action
{
drop
|
logging
} * ]
By default, IP address-specific
HTTP flood attack detection is not
configured.
Configuring attack detection exemption
The attack defense policy uses the ACL to identify exempted packets. The policy does not check the
packets permitted by the ACL. You can configure the ACL to identify packets from trusted hosts. The
exemption feature reduces the false alarm rate and improves packet processing efficiency.
To configure attack detection exemption:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter attack defense policy
view.
attack-defense policy
policy-name
N/A
3.
Configure attack detection
exemption.
exempt acl
[
ipv6
] {
acl-number
|
name
acl-name
}
By default, the attack defense policy
applies to all packets destined for
the device.
Applying an attack defense policy to the device
An attack defense policy applied to the device itself detects packets destined for the device and
prevents attacks targeted at the device.
A switch uses hardware to implement packet forwarding and uses software to process packets if the
packets are destined for the switch. The software does not provide any attack defense features, so
you must apply an attack defense policy to the switch to prevent attacks aimed at the switch.
To apply an attack defense policy to the device: