< Home

Configuring Dynamic Traffic Limiting for Traffic Attack Defense

Procedure

  1. Enable dynamic traffic limiting for traffic attack defense.

    anti-ddos auto-defend traffic-policy enable

    By default, dynamic traffic limiting for traffic attack defense is disabled.

  2. Set the CAR for traffic attacks.

    anti-ddos auto-defend car car-value

    By default, the CAR is not set for traffic attacks.

  3. Configure dynamic traffic limiting for session-based or packet loss-based traffic attack defense.

    • Configure dynamic traffic limiting for session-based attack defense.

      1. Enable dynamic traffic limiting for session-based attack defense.

        anti-ddos auto-defend base-session enable

        By default, dynamic traffic limiting for session-based traffic attack defense is disabled.

      2. Set the alarm threshold and upper threshold for the session packet rate of dynamic limiting for session-based traffic attack defense.

        anti-ddos auto-defend base-session alert-rate alert-rate max-rate max-rate

        By default, the alarm threshold is 100,000 pps, and the upper threshold is 200,000 pps. Using the default alarm threshold and maximum threshold is recommended. The default values can meet the requirements of most application scenarios.

    • Configure dynamic traffic limiting for packet loss-based attack defense.

      1. Enable dynamic traffic limiting for packet loss-based attack defense.

        anti-ddos auto-defend none-session enable

        By default, dynamic traffic limiting for packet loss-based traffic attack defense is disabled.

      2. Set the packet loss rate threshold and dynamic rule delivery threshold for dynamic traffic limiting for packet loss-based traffic attack defense.

        anti-ddos auto-defend none-session drop-rate drop-rate rule-rate rule-rate

        By default, the packet loss rate threshold 300,000 pps, and the dynamic rule delivery threshold is 100,000 pps. Using the default alarm threshold and maximum threshold is recommended. The default values can meet the requirements of most application scenarios.

      3. Configure the rule type delivered by dynamic traffic limiting for packet loss-based attack defense.

        anti-ddos auto-defend none-session type { 3-tuple | 5-tuple | auto }

        The default rule type is 5-tuple.

  4. Optional: Set the aging time of automatically delivered dynamic rules.

    anti-ddos auto-defend rule aging-time aging-time

    The aging time of a dynamic rule starts from the time the rule was created, and the remaining keepalive time is not updated when a packet matches the rule. When the configured aging time elapses, the rule expires.

    When attack traffic stops and the corresponding session ages, the corresponding dynamic rule will be automatically deleted.

    If the duration of an attack flow is long, set greater aging time for dynamic rules to prevent the dynamic rules from aging before the attack flow stops.

Parent Topic: Configuring the Defense Against Attacks Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >