Chapter 9
| General Security Measures
Denial of Service Protection
– 315 –
Default Setting
Disabled, 1000 kbits/second
Command Mode
Global Configuration
Example
Console(config)#dos-protection echo-chargen bit-rate-in-kilo 65
Console(config)#
dos-protection smurf
This command protects against DoS smurf attacks in which a perpetrator generates
a large amount of spoofed ICMP Echo Request traffic to the broadcast destination
IP address (255.255.255.255), all of which uses a spoofed source address of the
intended victim. The victim should crash due to the many interrupts required to
send ICMP Echo response packets. Use the
no
form to disable this feature.
Syntax
[
no
]
dos-protection smurf
Default Setting
Disabled
Command Mode
Global Configuration
Example
Console(config)#dos-protection smurf
Console(config)#
dos-protection
tcp-flooding
This command protects against DoS TCP-flooding attacks in which a perpetrator
sends a succession of TCP SYN requests (with or without a spoofed-Source IP) to a
target and never returns ACK packets. These half-open connections will bind
resources on the target, and no new connections can be made, resulting in a denial
of service. Use the
no
form without the bit rate parameter to disable this feature, or
with the bit rate parameter to restore the default rate limit.
Syntax
[
no
]
dos-protection tcp-flooding
[
bit-rate-in-kilo
rate]
rate – Maximum allowed rate. (Range: 64-2000 kbits/second)
Default Setting
Disabled, 1000 kbits/second
To Next Page
Loading...
Need help?
General
