< Home

auto-defend whitelist

Function

The auto-defend whitelist command configures an attack source tracing whitelist. The switch does not trace the source of users in the whitelist.

The undo auto-defend whitelist command deletes an attack source tracing whitelist.

By default, no whitelist is configured for attack source tracing. If any of the following conditions is met, however, the switch uses the condition as the whitelist matching rule, regardless of whether attack source tracing is enabled. After attack source tracing is enabled, the switch does not perform attack source tracing for the packets matching such rules.

  • If an application uses the TCP protocol and has set up a TCP connection with the switch, the switch will not consider TCP packets with the matching source IP address as attack packets. If no TCP packets match a source IP address within 1 hour, the rule that specifies this source IP address will be aged out.
  • If an interface has been configured as a DHCP trusted interface using the dhcp snooping trusted command, the switch will not consider DHCP packets received from this interface as attack packets.
  • If an interface has been configured as a MAC forced forwarding (MFF) network-side interface using the mac-forced-forwarding network-port command, the switch will not consider ARP packets received from this interface as attack packets.

For the preceding conditions, the switch supports a maximum of 16 whitelist matching rules based on source IP addresses and interfaces, and a maximum of 8 whitelist matching rules based on source IP addresses of TCP packets.

Format

auto-defend whitelist whitelist-number { acl acl-number | interface interface-type interface-number }

undo auto-defend whitelist whitelist-number [ acl acl-number | interface interface-type interface-number ]

Parameters

Parameter Description Value
whitelist-number Specifies the number of a whitelist. The value is an integer that ranges from 1 to 16.
acl acl-number Specifies the number of an ACL referenced by a whitelist.

The value is an integer that ranges from 2000 to 4999.

  • 2000 to 2999: basic ACLs
  • 3000 to 3999: advanced ACLs
  • 4000 to 4999: Layer 2 ACLs
interface interface-type interface-number Specifies the interface to which the whitelist is applied.

  • interface-type specifies the interface type.

  • interface-number specifies the interface number.

 -

Views

Attack defense policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Attack source tracing helps locate and punish sources of denial of service (DoS) attacks. If some users do not need to be traced regardless of whether an attack occurs, run the auto-defend whitelist command to configure a whitelist for users.

Prerequisites

Attack source tracing has been enabled using the auto-defend enable command.

Precautions

Before referencing an ACL in a whitelist, create the ACL and configure rules.

If the ACL referenced by the whitelist specifies some protocols, ensure that packets of these protocols can be traced. You can run the display auto-defend configuration command to view the protocols supported by attack source tracing. If a protocol is not supported by attack source tracing, you can run the auto-defend protocol command to configure attack source tracing to support the protocol.

Example

# Add source IP addresses 10.1.1.1 and 10.1.1.2 to the attack source tracing whitelist.

<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.2 0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend whitelist 1 acl 2000
Parent Topic: Local Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >