Denial of Service (DoS) Commands
OL-32830-01 Command Line Interface Reference Guide 372
16
This command rate limits ingress TCP packets with "SYN=1", "ACK=0" and "FIN=0"
for the specified destination IP addresses.
SYN attack rate limiting is implemented after the security suite rules are applied to
the packets. The ACL and QoS rules are not applied to those packets.
Since the hardware rate limiting counts bytes, it is assumed that the size of “SYN”
packets is short.
Example
The following example attempts to rate limit DoS SYN attacks on a port. It fails
because security suite is enabled globally and not per interface.
switchxxxxxx(config)#
security-suite enable global-rules-only
switchxxxxxx(config)#
interface gi11
switchxxxxxx(config-if)#
security-suite dos syn-attack 199 any /10
To perform this command, DoS Prevention must be enabled in the per-interface mode.
16.8 security-suite enable
To enable the security suite feature, use the security-suite enable Global
Configuration mode command. This feature supports protection against various
types of attacks.
When this command is used, hardware resources are reserved. These hardware
resources are released when the no security-suite enable command is entered.
The security-suite feature can be enabled in one of the following ways:
• Global-rules-only—This enables the feature globally but per-interface
features are not enabled.
• All (no keyword)—The feature is enabled globally and per-interface.
To disable the security suite feature, use the no form of this command.
When security-suite is enabled, you can specify the types of protection required.
The following commands can be used:
• show security-suite configuration
• show security-suite configuration
• show security-suite configuration
To Next Page
Loading...
Need help?
General
