You can detect common attacks as follows:
Clear statistics on the packets sent to the CPU.
Wait for one minute and check the number of packets sent to the CPU and discarded protocol packets, such as ICMP, TTL, Expired, SSH, and FTP. If there are a lot of packets sent to the CPU or discarded, an attack, such as ICMP attack, TTL Expired attack, SSH attack, or FTP attack, may occur.
Find out the attack source through IP source trail or attack source tracing.
After locating the attack source, run the cpu-defend policy command to configure the blacklist to prevent the packets from this source entering the control plane. Alternatively, you can configure the penalty action in auto-defend to discard attack packets.
Additionally, the device can restrict the rate of ICMP packets from the source, or use traffic policy to discard SSH and FTP attack packets.