Chapter 8
| General Security Measures
Denial of Service Protection
– 303 –
dos-protection tcp
invalid-header-length
This command protects against attacks which send TCP packets with an incorrect
header length. Such packets are not allowed by the system, but their abundant
number can cause computer crashes and other system errors.
Syntax
[no] dos-protection udp invalid-header-length
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
In these packets, the TCP raw header size is less than the minimum size defined for
a TCP header (i.e., the data offset < 5).
Example
Console(config)#dos-protection udp invalid-header-length
Console(config)#
dos-protection tcp
null-scan
This command protects against null-scan attacks in which a TCP NULL scan
message is used to identify listening TCP ports. The scan uses a series of strangely
configured TCP packets which contain a sequence number of 0 and no flags. If the
target's TCP port is closed, the target replies with a TCP RST (reset) packet. If the
target TCP port is open, it simply discards the TCP NULL scan.
Syntax
[no] dos-protection tcp null-scan
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
In these packets, all TCP flags are 0.
Example
Console(config)#dos-protection tcp null-scan
Console(config)#
To Next Page
Loading...
Need help?
General
