Configure Anti-DDOS Attack Detection

Network Requirements

• Device is connected to IP Network via port gigabitethernet0/1.
• Device configures the anti-DDOS attack detection function. When finding the attack packet, alarm and drop the attack packet, taking the common SYN Flood attack, Ping Flood attack, and Land attack as example.

Network Topology

Figure 17-1 Networking of configuring the anti-DDOS attack detection

Configuration Steps

Step 1: Configure VLAN and add the port to the corresponding VLAN. (Omitted)

Step 2: Configure the IP address of the interface. (Omitted)

Step 3: Configure the ACL rule.

#Configure the standard ACL rule, matching the Device address to be protected.

Step 4: Configure the attack detection function and enable the log recording function.

#Configure the SYN Flood, Ping Flood, and Land attack detection function on Device.

#Enable the anti-DDOS attack detection log recording function on Device.

Step 5: Check the result.

#When Device gets the SYN Flood attack, output the following log information:

#When Device gets the Ping Flood attack, output the following log information:

#When Device gets the Land attack, output the following log information:

#View the attack detection packet statistics information on Device:

IP attack        Drops  
-------------    ------    
Small IP         0
Fragment         0
Tcp-land         6256
Fraggle          0
SYN Flood        6200
ICMP Flood       4893 

• ---

  The DDOS attack detection function is valid only for the packets processed by CPU.

  ---