nat flow-defend reverse-blacklist detect-threshold

Function

The nat flow-defend reverse-blacklist detect-threshold ip-level high-threshold command sets the address-level rate threshold for a device. If traffic exceeds the rate, its IP address is added to a NAT blacklist.

The nat flow-defend reverse-blacklist detect-threshold ip-port-level high-threshold command sets a port-level rate threshold for a device. If traffic exceeds the rate, its port number is added to a NAT blacklist.

The undo nat flow-defend reverse-blacklist detect-threshold ip-level high-threshold command restores the default address-level rate threshold for a device.

The undo nat flow-defend reverse-blacklist detect-threshold ip-port-level high-threshold command restores the default port-level rate threshold for a device.

The default address-level rate threshold is 64 kpps.

This command is supported only on the NetEngine 8000 F1A.

Format

nat flow-defend reverse-blacklist detect-threshold ip-level high-threshold ip-level-high-threshold-value

nat flow-defend reverse-blacklist detect-threshold ip-port-level high-threshold ip-port-level-high-threshold-value

undo nat flow-defend reverse-blacklist detect-threshold ip-level high-threshold [ ip-level-high-threshold-value ]

undo nat flow-defend reverse-blacklist detect-threshold ip-port-level high-threshold [ ip-port-level-high-threshold-value ]

Parameters

Parameter Description Value
high-threshold ip-port-level-high-threshold-value

Sets a port-level threshold.

The value is an integer that ranges from 32 to 2047.
high-threshold ip-level-high-threshold-value

Sets an address-level threshold.

The value is an integer that ranges from 33 to 2048.

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
nat write

Usage Guidelines

Usage Scenario

If no internal server is configured or if no session table entries can be found on the NAT device for public network traffic, the NAT device considers public network-to-private network traffic reaching a specified rate threshold as attack traffic. The NAT device sends such traffic to a NAT blacklist. The reverse first-packet blacklist prevents public-to-private first packets that trigger the creation of a session table from attacking a specific public IP address, public port number, protocol ID. Such attacks adversely affect the forwarding of normal traffic. To monitor the rate at which network attack traffics matching IP addresses in a NAT blacklist, run the nat flow-defend reverse-blacklist detect-threshold ip-level high-threshold command to set an IP address-level rate threshold. To monitor the rate at which network attack traffics matching an IP address, port number, or protocol ID in a NAT blacklist, run the nat flow-defend reverse-blacklist detect-threshold ip-port-level

high-threshold command to set a port-level rate threshold.Ensure that the configured threshold does not exceed the CPU processing capability. Otherwise, attack traffic cannot be blacklisted.

Precautions

In VS mode, this command is supported only by the admin VS.

Example

# Set a port-level rate threshold for a NAT blacklist to 100 kpps.
<HUAWEI> system-view
[~HUAWEI] nat flow-defend reverse-blacklist detect-threshold ip-port-level high-threshold 100
# Set an IP address-level rate threshold for the NAT blacklist to 40 kpps.
<HUAWEI> system-view
[~HUAWEI] nat flow-defend reverse-blacklist detect-threshold ip-level high-threshold 40
Parent Topic: NAT Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >