1074Usage guidelinesThe global threshold applies to global RST flood attack detection. Adjust the threshold according tothe application scenarios. If the number of RST packets sent to a protected server, such as an HTTPor FTP server, is normally large, set a large threshold. A small threshold might affect the serverservices. For a network that is unstable or susceptible to attacks, set a small threshold.With global RST flood attack detection configured, the device is in attack detection state. When thesending rate of RST packets to an IP address reaches the threshold, the device enters preventionstate and takes the specified actions. When the rate is below the silence threshold (three-fourths ofthe threshold), the device returns to the attack detection state.Examples# Set the global threshold to 100 for triggering RST flood attack prevention in the attack defensepolicy atk-policy-1. system-view[Sysname] attack-defense policy atk-policy-1[Sysname-attack-defense-policy-atk-policy-1] rst-flood threshold 100Related commandsrst-flood actionrst-flood detectrst-flood detect non-specificscan detectUse scan detect to configure scanning attack detection.Use undo scan detect to remove the scanning attack detection configuration.Syntaxscan detect level { high | low | medium } action { { block-source [ timeout minutes ] | drop } |logging } *undo scan detect level { high | low | medium }DefaultScanning attack detection is disabled.ViewsAttack defense policy viewPredefined user rolesnetwork-adminParameterslevel: Specifies the level of the scanning attack detection.low: Specifies the low level. This level provides basic scanning attack detection. It has a low falsealarm rate but many scanning attacks cannot be detected. Statistics are collected every 60 secondsfor the low level detection.high: Specifies the high level. This level can detect most of the scanning attacks, but has a high falsealarm rate. Some packets from active hosts might be considered as attack packets. Statistics arecollected every 600 seconds for the high level detection.medium: Specifies the medium level. Compared with the high and low levels, this level has mediumfalse alarm rate and attack detection accuracy. Statistics are collected every 90 seconds for themedium level detection.