Configuring the Rate Limit at Which the First Packet Is Sent to Create a Flow

Limiting the rate at which the first packet is sent to the CPU of a service board to create a flow prevents users from using a large number of CPU resources through first packet attack and thereby ensuring the forwarding of normal traffic.

Context

The NAT blacklist function defends a device against attacks initiated by sending network-side first packets with a specified set of a public IP address, a port number, and a protocol ID or to all IP addresses. If no internal service is configured or if public network traffic does not match entries in a session table on a NAT device, the NAT device considers traffic transmitting at a rate reaching a specified threshold as attack traffic. The NAT device adds the IP address and UDP or TCP destination port number of attack traffic to a NAT blacklist. Once network-side attack traffic matches the blacklist, the NAT device drops the traffic or collects statistics about the traffic.

The NAT blacklist-based detection is performed in either of the following modes:

Address-level detection: An address-level rate threshold is set for a NAT device to detect attacks only on IP addresses.
Port-level detection: A port-level rate threshold is set for a NAT device to detect attacks using packets with a specified IP address, a specified port number, and a specified protocol ID.

In VS mode, this configuration process is supported only by the admin VS.

Procedure

Run system-view
The system view is displayed.
Run undo nat flow-defend reverse-blacklist disable
The NAT blacklist function is enabled.
Run nat flow-defend { forward | fragment | reverse } rate rate-number slot slot-id
The rate at which the first packet is sent to the CPU of a service board to create a flow is set.
(Optional) Run nat flow-defend reverse-blacklist detect-threshold ip-port-level high-threshold ip-port-level-high-threshold-value
The port-level rate threshold for generating entries in a reverse NAT blacklist is set.

If the NAT blacklist function is enabled, after this command is run, the device detects the attack traffic for the IP address, port number, and protocol number. You can set the port-level rate threshold for the NAT blacklist to adjust the attack traffic detection rate.
(Optional) Run nat flow-defend reverse-blacklist detect-threshold ip-level high-threshold ip-level-high-threshold-value
The address-level rate threshold for generating entries in a reverse NAT blacklist is set.

If the NAT blacklist function is enabled, after this command is run, the device detects the attack traffic for the IP address. You can set the address-level rate threshold for the NAT blacklist to adjust the attack traffic detection rate.

The port- and address-level rate thresholds can be configured together for the NAT blacklist. The two commands are independent of each other.
Run commit
The configuration is committed.

Verifying the Configuration

After completing the configurations, you can run the following commands to check the configurations.

Run the display nat flow-defend reverse-blacklist command to check information about blacklist entries of the reverse first packets on the CPU.