Example for Configuring Local Attack Defense

Applicability
This example applies to all versions and routers.
Networking Requirements
As shown in Figure 1, users on different LANs access the Internet through Router A. To locate
attacs on Router A, attac source tracing needs to !e configured to trace the attac source. The
following situations occur"
A user on networ segment Net1 fre#uentl$ initiates attacs to Router A.
The attacer sends a large num!er of AR% Re#uest pacets, degrading &%'
performance.
The administrator needs to upload files to Router A using FT%. (owever, no FT%
connection has !een set up !etween the administrator)s host and Router A.
*ost LAN users o!tain I% addresses through +(&%, whereas Router A does not first
process +(&% client pacets sent to the &%'.
&onfigurations should !e performed on Router A to solve the preceding pro!lems.
NOTE
T!is section pro"i#es only t!e configuration proce#ures relate# to local attack #efense$
%or #etails about routing configurations& see t!e Configuration 'ui#e ( )* Routing$
1
%igure + Networing diagram of attac defense polic$ configurations

*roce#ure
+$ Configure t!e router$
,
acl num!er -..1 ,,Configure t!e ACL to be reference# by t!e blacklist of local attack
#efense$
rule / permit source0mac ...10c.a10.1.2
,
cpu0defend polic$ devicesafet$ ,,Create a local attack #efense policy$
auto0defend ena!le ,,Enable t!e attack source tracing capability$
auto0defend threshold /. ,,-et t!e attack source tracing t!res!ol# to ./ pps$
!laclist 1 acl -..1 ,,-pecify t!e blacklist$
pacet0t$pe arp0re#uest rate0limit 3- ,,-et t!e rate limit for AR* request packets sent to
t!e C*0 to 12 pps$
application0apperceive pacet0t$pe ftp rate0limit 2... ,,-et t!e rate limit for %T* packets
to 3/// pps$
pacet0t$pe dhcp0client priorit$ 4 ,,-et t!e priority of t!e D4C*(client packets sent to t!e
C*0 to 5$
,
cpu0defend0polic$ devicesafet$ ,,Apply t!e attack #efense policy to t!e 6*0$
,
return
3$ 7erify t!e configuration$
2
Run the displa$ cpu0defend polic$ command on router A to view information a!out the
attac defense polic$.
Run the displa$ cpu0defend configuration command on router A to view rate limit on
protocol pacets.
More related:
Example for Configuring the SNMP Function to Implement Communication Between the Device and the NMS
Example for Connecting Intranet !er! to the Internet in Ea!" IP Mode
Example for Configuring the Device a! a PPPoE Client to Connect !er! to the Internet
#ow to Configure the PPPoE Client on #uawei $%&'(()
Example for Connecting Intranet !er! to the Internet in N$* $ddre!! Pool Mode
6ore 4uawei pro#ucts an# Re"iews you can "isit http://www.huanetwork.com/blog
Huanetwork.com is a world leading Huawei networking products distributor, we wholesale original new Huawei
networking equipments, including Huawei switches, Huawei routers, Huaweisymantec security products, Huawei IA,
Huawei !"# and other Huawei networking products. $ur customers include telecom operators, Huawei resellers, I!# and
system integrators. %ight now most o& our sales are contributed by regular customers.
In Huanetwork 'ab, also we ha(e Huawei $'), *+, !'A* and switch &or customer do remote testing, any potential
customer are welcome to login to our lab. I& you need a total Huawei ")), solution or Huawei A!' solution &or your
network, also you may &eel &ree to contact us.
$ur website: http://www.huanetwork.com
)elephone: -./2012/21342
5mail: sales6huanetwork.com
Address: 21/" 'ucky #la7a, 11/0121 'ockhart %oad, 8anchai, Hongkong
1