Configuration of IP sweep attack defense for the USG2000&5000 series on the CLI

20

You can configure IP sweep attack defense for the USG2000&5000 series on the CLI.

1. Run the firewall defend ip-sweep enable command to enable IP sweep attack defense.
By default, IP sweep attack defense is disabled.
2. Run the firewall defend ip-sweep max-rate max-rate-number command to set the IP sweep maximum connection rate.
The default maximum connection rate is 4000 pps.
3. Run the firewall defend ip-sweep blacklist-timeout interval command to set the blacklist aging time.
By default, the blacklist aging time is 20 minutes.
4. Run the firewall blacklist enable command to enable the blacklist function.

After IP sweep attack defense is enabled, the device checks received TCP, UDP, and ICMP packets. If the number of packets that a source address sends per second to different destination IP addresses exceeds the specified threshold, the USG2000&5000 considers that the source address is initiating an IP sweep attack. It blacklists the IP address and:
Discards the packets from the source address if the blacklist function is enabled.
Forwards the packets from the source address and generates an alarm if the blacklist function is disabled.

Other related questions:
Configuration of IP sweep attack defense for the USG2000&5000 series on the web UI
You can configure IP sweep attack defense for the USG2000&5000 series on the web UI. 1. Choose Firewall > Security Protection > Attack Defense. 2. In the attack defense configuration list, choose Attack Defense Type > Scan. 3. On the Configure Scan Attack Defense page, select Enable corresponding to IP Sweep. 4. Set parameters for IP sweep attack defense. 5. Click Apply.

Configuration of IP sweep attack defense for the USG6000 series on the CLI
You can configure IP sweep attack defense for the USG6000 series on the CLI. 1. Run the firewall defend ip-sweep enable command to enable IP sweep attack defense. By default, IP sweep attack defense is disabled. 2. Run the firewall defend ip-sweep max-rate max-rate-number command to set the IP sweep maximum connection rate. By default, the maximum connection rate is 4000 pps. 3. Run the firewall defend ip-sweep blacklist-timeout interval command to set the blacklist aging time. By default, the blacklist aging time is 20 minutes. 4. Run the firewall blacklist enable command to enable the blacklist function. After IP sweep attack defense is enabled, the device checks received TCP, UDP, and ICMP packets. If the number of packets that a source address sends per second to different destination IP addresses exceeds the specified threshold, the USG6000 considers that the source address is initiating an IP sweep attack. It blacklists the IP address and: Discards the packets from the source address if the blacklist function is enabled. Forwards the packets from the source address and generates an alarm if the blacklist function is disabled.

Configuration of SIP flood attack defense for the USG2000&5000 series on the CLI
You can configure SIP flood attack defense for the USG2000&5000 series on the CLI. 1. In the user view, run the system-view command to access the system view. 2. Run the firewall defend sip-flood enable command to enable the SIP flood attack defense function. 3. According to the attack defense scope, run either of the following commands to set SIP flood attack parameters: (a) Run the firewall defend sip-flood ip ip-address [ vpn-instance vpn-instance-name ] [ alert-rate alert-rate ] [ max-rate rate-number ] [ source-detect [ on | off ] ] command to set SIP flood attack defense parameters based on IP addresses. The source detection function is enabled by default. (b) Run the firewall defend sip-flood zone [ vpn-instance vpn-instance-name ] zone-name [ alert-rate alert-rate ] [ max-rate rate-number ] [ source-detect [ on | off ] ] command to set SIP flood attack defense parameters based on security zones. The source detection function is enabled by default. 4. Run the firewall defend sip-flood port range [start-port end-port ] command to set a port range for SIP flood attack defense.

Configuring port scan attack defense using the CLI for the USG2000&5000 series
The USG2000&5000 series supports configuring port scan attack defense using the CLI. 1. Run the firewall defend port-scan enable command to enable the port scan attack defense function. Port scan attack defense is disabled by default. 2. Run the firewall defend port-scan max-rate max-rate-number command to set the maximum connection rate. The default maximum connection rate is 4000 pps. 3. Run the firewall defend port-scan blacklist-timeout interval command to set the blacklist aging time. The default blacklist aging time is 20 minutes. 4. Run the firewall blacklist enable command to enable the blacklist function. After port scan attack defense is enabled, the USG detects received TCP and UDP packets. If the number of packets with different destination ports from a specific source IP address per second exceeds the threshold, the USG determines that the host at this IP address launches port scan attacks, blacklists this IP address, and processes the packets as follows: If the blacklist function is enabled, the USG discards the packets from this IP address. If the blacklist function is disabled, the USG generates an alarm but does not discard the packets.

Enabling IP spoofing attack defense on the USG2000&5000 series
The USG2000&5000 looks up the routing table for the outgoing interfaces of reverse traffic destined to the source. If the incoming interface of the traffic and the outgoing interface of the reverse traffic are different, the packets are considered IP spoofing packets and discarded. Run the firewall defend ip-spoofing enable command to enable IP spoofing attack defense.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top