Chapter 8
| General Security Measures
Denial of Service Protection
– 304 –
dos-protection tcp
syn-ack-psh-block
This command protects against attacks in which a TCP SYN/ACK/PSH message
sequence is used to cause problems for some operating systems which do not
acknowledge this as a valid sequence.
Syntax
[no] dos-protection syn-ack-psh-block
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
In these packets, SYN=1, ACK=1 and PSH=1.
Example
Console(config)#dos-protection syn-ack-psh-block
Console(config)#
dos-protection tcp
syn-fin-scan
This command protects against TCP SYN/FIN-scan attacks in which a TCP SYN/FIN
scan message is used to identify listening TCP ports. The scan uses a series of
strangely configured TCP packets which contain SYN (synchronize) and FIN (finish)
flags. If the target's TCP port is closed, the target replies with a TCP RST (reset)
packet. If the target TCP port is open, it simply discards the TCP SYN FIN scan.
Syntax
[no] dos-protection syn-fin-scan
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
In these packets, SYN=1 and FIN=1.
Example
Console(config)#dos-protection syn-fin-scan
Console(config)#
To Next Page
Need help?
General
