Chapter 8
| General Security Measures
Denial of Service Protection
– 305 –
dos-protection tcp
syn-flood
This command protects against flooding attacks in which a perpetrator sends a
succession of TCP synchronization requests (with or without a spoofed source IP
address) to a target and never returns ACK packets. These half-open connections
will bind up resources on the target, and no new connections can be made,
resulting in denial of service.
Syntax
dos-protection tcp syn-flood [bit-rate-in-kilo rate]
no dos-protection tcp syn-flood
rate – Maximum allowed rate. (Range: 64-2048 kbits/second)
Default Setting
Disabled, 1024 kbits/second
Command Mode
Global Configuration
Command Usage
In these packets, SYN=1.
Example
Console(config)#dos-protection tcp syn-flood 65
Console(config)#
dos-protection tcp
syn-psh-block
This command protects against attacks in which a TCP SYN/PSH message is used to
force the TCP stack to send this data immediately up to the receiving application.
Syntax
[no] dos-protection tcp syn-psh-block
Default Setting
Disabled
Command Usage
In these packets, SYN=1 and PSH=1
Example
Console(config)#dos-protection tcp syn-psh-block
Console(config)#
To Next Page
Loading...
