chasten flow(slot)

Function

The chasten flow(slot) command restricts the number of HTTPS flows that can be established on board in a specified slot.

The undo chasten flow(slot) command cancels the restriction on the number of HTTPS flows that can be established on the board in a specified slot.

By default, the global configuration is used. If no global configuration is available, the maximum number of HTTPS flow tables established on a device is 300, the period for establishing HTTPS flow tables is 30 seconds, the period in which an HTTPS flow blocked is 30 seconds, and one TCP SYN packet is processed per second in the block state.

This command is supported only on the NetEngine 8000 F1A.

Format

chasten flow connection-sessions connection-period blocking-period blocking-rate slot slotid

undo chasten flow connection-sessions connection-period blocking-period blocking-rate slot slotid

Parameters

Parameter Description Value
slot slotid

Specifies the slot ID.

The value is a string of 1 to 16 case-sensitive characters, spaces not supported.
flow connection-sessions

Specifies the number of HTTPS flow tables to be created.

The value is an integer ranging from 1 to 10000.
flow connection-period

Specifies the time for creating the HTTPS flow table.

The value is an integer ranging from 1 to 3600, in seconds.
flow blocking-period

Specifies the block time for HTTPS flow setup.

The value is an integer ranging from 1 to 3600, in seconds.
flow blocking-rate

Specifies the HTTPS SYN packet processing rate in blocking state.

The value is an integer ranging from 1 to 10, in packets/second.

Views

HTTPS redirect view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
portal write

Usage Guidelines

Usage Scenario

To prevent some users from using HTTPS TCP SYN packets with changing destination IP addresses to attack the device so that the HTTPS redirection function is not affected for other users, you need to restrict the rate at which HTTPS flows are established on the board in a specified slot. You can run the chasten flow(slot) command to configure the number of seconds during which a device is frozen if the number of HTTPS flows established on the device within a specified period exceeds the preset threshold. Within this freezing period, the device discards the extra HTTPS TCP SYN packets sent by the user.

Precautions

  • In VS mode, this command is supported only by the admin VS.
  • If both the chasten flow(slot) and chasten flow commands are run, the chasten flow(slot) command configuration takes effect.

Example

# On the board in slot 1, configure the device to process one TCP SYN packet every second in the next 3000 seconds and discard extra packets after the number of flows established within 3000 seconds reaches 9000.
<HUAWEI> system-view
[~HUAWEI] access https-redirect
[~HUAWEI-access-https-redirect] chasten flow 9000 3000 3000 1 slot 1
Parent Topic: IPoE Access Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >