Chapter 9
| General Security Measures
Denial of Service Protection
– 385 –
dos-protection
tcp-flooding
This command protects against DoS TCP-flooding attacks in which a perpetrator
sends a succession of TCP SYN requests (with or without a spoofed-Source IP) to a
target and never returns ACK packets. These half-open connections will bind
resources on the target, and no new connections can be made, resulting in a denial
of service. Use the no form without the bit rate parameter to disable this feature, or
with the bit rate parameter to restore the default rate limit.
Syntax
dos-protection tcp-flooding [bit-rate-in-kilo rate]
no dos-protection tcp-flooding [bit-rate-in-kilo]
rate – Maximum allowed rate. (Range: 64-2000 kbits/second)
Default Setting
Disabled, 1000 kbits/second
Command Mode
Global Configuration
Example
Console(config)#dos-protection tcp-flooding bit-rate-in-kilo 65
Console(config)#
dos-protection
tcp-null-scan
This command protects against DoS TCP-null-scan attacks in which a TCP NULL
scan message is used to identify listening TCP ports. The scan uses a series of
strangely configured TCP packets which contain a sequence number of 0 and no
flags. If the target's TCP port is closed, the target replies with a TCP RST (reset)
packet. If the target TCP port is open, it simply discards the TCP NULL scan. Use the
no form to disable this feature.
Syntax
[no] dos-protection tcp-null-scan
Default Setting
Enabled
Command Mode
Global Configuration
Command Usage
In these packets, all TCP flags are 0.
To Next Page
Loading...
