Network Attack Prevention Configuration
Except on the first page, right running head:
Heading1 or Heading1NewPage text (automatic)
753
Alcatel-Lucent
Beta Beta
OmniAccess 5740 Unified Services Gateway CLI Configuration Guide
The following attacks are the Default attacks (Rate Limiting attacks, which
includes both Stateful and Stateless attacks):
tcp_header_frag - -
udp_header_frag - -
tcp_fin_scan - -
tcp_syn_flood 100 1000 5
icmp_ping_flood 100 1000
icmp_dest_unrch_storm 10 1000
icmp_ip_address_sweep 100 1000
port_scan 5 1000
udp_flood 200 1000
udp-port-loopback 10 1000
ip-tear-drop - -
ip-tiny-frag 50 64
icmp-ping-of-death 50 65507
ip-zero-length - -
ip-land-attack - -
tcp-xmas-scan - -
tcp_-invalid-urgent-offset - -
tcp-null-scan - -
tcp-syn-fin - -
tcp-fin-no-ack - -
udp-fraggle-attack - -
You can create a “default” attack setting to check only the stateless attacks by
using the keyword “default stateless”.
The following attacks are the Default Stateless (Default Non-Rate Limiting)
attacks:
ip-tear-drop - -
ip-tiny-frag 50 64
icmp-ping-of-death 50 65507
ip-zero-length - -
ip-land-attack - -
tcp-xmas-scan - -
tcp_-invalid-urgent-offset - -
tcp-null-scan - -
tcp-syn-fin - -
tcp-fin-no-ack - -
udp-fraggle-attack - -
Note: Some of the fragmentation attacks, in particular teardrop attack, tiny fragment attack,
and TCP header fragment attacks are detected by the fragment handling code even if
the corresponding attacks have not been configured. This will happen for any traffic
that is subject to any firewall configuration, i.e., either filter, NAT or DoS configuration.
This is why you can see these attacks in the “show” output even when you have not
configured them.
To Next Page
Loading...
Need help?
General
