< Home

CLI: Example for Configuring DDoS Attack Defense

This section provides an example for configuring DDoS attack defense.

Networking Requirements

As shown in Figure 1, the FW protects the intranet web server. It is detected that the web server usually suffers from attacks SYN flood, UDP flood, and HTTP flood attacks. To defend against these attacks, enable attack defense on the FW.

Figure 1 Attack defense networking diagram

Configuration Roadmap

  1. Enable traffic statistics on GigabitEthernet 0/0/1 that connects the FW to the Internet to collect statistics on the inbound traffic from the Internet to the intranet.

  2. To set a proper anti-DDoS threshold, enable threshold learning on the FW. To automatically apply the threshold learned, enable automatic application on the FW.

  3. Enable attack defense against SYN flood, UDP flood, and HTTP flood on the FW. Do not change the default threshold for each defense function. The thresholds learned will be automatically applied after the learning process ends.

Procedure

  1. Set attack defense parameters. 

    [FW] interface GigabitEthernet0/0/1
[FW-GigabitEthernet0/0/1] anti-ddos flow-statistic enable
[FW-GigabitEthernet0/0/1] quit
[FW] ddos-mode detect-clean

  2. Configure the threshold learning function. 

    [FW] anti-ddos baseline-learn start
[FW] anti-ddos baseline-learn tolerance-value 100
[FW] anti-ddos baseline-learn apply

  3. Enable the attack defense function. 

    [FW] anti-ddos syn-flood source-detect
[FW] anti-ddos udp-flood dynamic-fingerprint-learn
[FW] anti-ddos udp-frag-flood dynamic-fingerprint-learn
[FW] anti-ddos http-flood defend alert-rate 2000
[FW] anti-ddos http-flood source-detect mode basic

Configuration Scripts

Only the configurations related to this example are listed.

#
 sysname FW
#
interface GigabitEthernet0/0/1    
 anti-ddos flow-statistic enable 
#
 anti-ddos syn-flood source-detect
 anti-ddos udp-flood dynamic-fingerprint-learn        
 anti-ddos udp-frag-flood dynamic-fingerprint-learn       
 anti-ddos http-flood defend alert-rate 2000
 anti-ddos http-flood source-detect mode basic
 anti-ddos baseline-learn tolerance-value 100
 anti-ddos baseline-learn start 
 anti-ddos baseline-learn apply   
#
return
Parent Topic: Security Protection
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >