D-Link DGS-3000 - Chapter 28 Dos Attack Prevention Command List

D-Link DGS-3000

909 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

DGS-3000 Series Layer 2 Managed Gigabit Ethernet Switch CLI Reference Guide

327

Chapter 28

DoS Attack Prevention

Command List

config dos_prevention dos_type [{land_attack | blat_attack | tcp_null_scan | tcp_xmasscan |

tcp_synfin | tcp_syn_srcport_less_1024 | ping_death_attack | tcp_tiny_frag_attack} | all] {action

[drop] | state [enable | disable]}

show dos_prevention {land_attack | blat_attack | tcp_null_scan | tcp_xmasscan | tcp_synfin |

tcp_syn_srcport_less_1024 | ping_death_attack | tcp_tiny_frag_attack}

config dos_prevention trap [enable | disable]

config dos_prevention log [enable | disable]

config dos_prevention dos_type 28-1

Description

This command is used to configure the prevention of each Denial-of-Service (DoS) attack,

including state and action. The packet matching will be done by hardware. For a specific type of

attack, the content of the packet will be matched against a specific pattern.

Format

config dos_prevention dos_type [{land_attack | blat_attack | tcp_null_scan | tcp_xmasscan

| tcp_synfin | tcp_syn_srcport_less_1024 | ping_death_attack | tcp_tiny_frag_attack} | all]

{action [drop] | state [enable | disable]}

Parameters

land_attack - (Optional) Checks whether the source address is equal to destination address of a

received IP packet.

blat_attack - (Optional) Checks whether the source port is equal to destination port of a received

TCP packet.

tcp_null_scan - (Optional) Checks whether a received TCP packet contains a sequence number

of 0 and no flags

tcp_xmasscan - (Optional) Checks whether a received TCP packet contains URG, Push and

FIN flags.

tcp_synfin - (Optional) Checks whether a received TCP packet contains FIN and SYN flags.

tcp_syn_srcport_less_1024 - (Optional) Checks whether the TCP packets source ports are less

than 1024 packets.

ping_death_attack - (Optional) Detects whether received packets are fragmented ICMP

packets.

tcp_tiny_frag_attack - (Optional) Checks whether the packets are TCP tiny fragment packets.

all - Specify all DoS attack type.

action - (Optional) When enabling DoS prevention, the following actions can be taken.

drop - Drops DoS attack packets.

state - (Optional) Specify the DoS attack prevention state.

enable - Enables DoS attack prevention.

disable - Disabes DoS attack prevention.

Restrictions

Only Administrators, Operators and Power-Users can issue this command.

Table of Contents

Related product manuals

D-Link DGS-3000 series

D-Link DGS-3024

D-Link DGS-3130-30S

Preview: D-Link DGS-3130-30TS

D-Link DGS-3130-30TS

Preview: D-Link DGS-3130-30TS/BY/B1A

D-Link DGS-3130-30TS/BY/B1A

Preview: D-Link DGS-3100-48

D-Link DGS-3100-48

Preview: D-Link DGS-3120-24TC

D-Link DGS-3120-24TC

Preview: D-Link DGS-3630-28TC

D-Link DGS-3630-28TC

Preview: D-Link DGS-3420-28PC

D-Link DGS-3420-28PC

Preview: D-Link DGS-3630 SERIES

D-Link DGS-3630 SERIES

Preview: D-Link xStack DGS-3426

D-Link xStack DGS-3426

Preview: D-Link DGS-3100 SERIES

D-Link DGS-3100 SERIES