Configuring syn flood detection – H3C Technologies H3C SecPath F1000-E User Manual
Page 25
17
Item
Description
Global Configuration
of Security Zone
Action Threshold
Set the protection action threshold for DNS flood attacks that
target a host in the protected security zone.
If the sending rate of DNS query requests destined for a host in
the security zone constantly reaches or exceeds this threshold,
the firewall enters all extra requests and logs the event.
NOTE:
Host-specific settings take precedence over the global settings for security zones.
Configuring SYN flood detection
NOTE:
SYN flood detection is mainly intended to protect servers and is usually configured for an internal zone.
From the navigation tree, select Intrusion Detection > Traffic Abnormality > SYN Flood to enter the SYN
flood detection configuration page, as shown in
. You can select a security zone and then view
and configure SYN flood detection rules for the security zone.
Figure 17 SYN flood detection configuration page
To configure SYN flood detection, follow these steps:
1.
In the Attack Prevention Policy area, specify the protection actions to be taken upon detection of a
SYN flood attack. If you do not select any option, the firewall only collects SYN flood attack
statistics. The available protection actions include:
{
Discard packets when the specified attack is detected. If detecting that a protected object in the
security zone is under SYN flood attack, the firewall drops the TCP connection requests to the
protected host to block subsequent TCP connections.
{
Add protected IP entry to TCP Proxy. If detecting that a protected object in the security zone is
under SYN flood attack, the firewall adds the target IP address to the protected IP list on the TCP
proxy as a dynamic one, setting the port number as any. If TCP proxy is configured for the