Chapter 8
| General Security Measures
Denial of Service Protection
– 299 –
Command Usage
These packets may have any of the following attributes:
â—† Header length is less than 4 bytes
â—† Raw IP data length is less than header length * 4
Example
Console(config)#dos-protection ip invalid-header-length
Console(config)#
dos-protection ip
invalid-ip-address
This command protects against attacks in which the source IP address and the
destination IP address are the same.
Syntax
[no] dos-protection ip invalid-ip-address
Default Setting
Disabled
Command Mode
Global Configuration
Example
Console(config)#dos-protection ip invalid-ip-address
Console(config)#
dos-protection ip
invalid-source-ip-
address
This command protects against attacks in which hackers replace the source address
in packets sent to the victim with an invalid source IP address to protect the
identity of the sender or to mislead the receiver as to the origin and validity of sent
data. These attacks may send a constant stream of packets with an invalid source
address such as 127.0.0.1, causing receiver to respond in the desired manner, while
continuing to hide the identity of the attacker. This type of attack is especially
effective since the packets seem to come from different sources and thus making
the perpetrators hard to trace.
One of the main reasons for forging a source address while staging a DoS attack is
to avoid detection upon staging the attack. The other reason is to stage a twofold
attack. One example of such an attack is a smurf attack. In a smurf attack, the
attacker attacks in two places at the same time. Not only is the end target affected
by the large number of echo replies received, but the network that acts as the
reflector is also affected by the large amount of traffic.
Syntax
[no] dos-protection ip invalid-source-ip-address
To Next Page
Loading...
Need help?
General
