Chapter 9
| General Security Measures
Denial of Service Protection
– 378 –
dos-protection
tcp-xmas-scan
This command protects against DoS TCP-xmas-scan in which a so-called TCP XMAS
scan message is used to identify listening TCP ports. This scan uses a series of
strangely configured TCP packets which contain a sequence number of 0 and the
URG, PSH and FIN flags. If the target's TCP port is closed, the target replies with a
TCP RST packet. If the target TCP port is open, it simply discards the TCP XMAS scan.
Use the no form to disable this feature.
Syntax
[no] dos-protection tcp-xmas-scan
Default Setting
Enabled
Command Mode
Global Configuration
Example
Console(config)#dos-protection tcp-xmas-scan
Console(config)#
dos-protection
udp-flooding
This command protects against DoS UDP-flooding attacks in which a perpetrator
sends a large number of UDP packets (with or without a spoofed-Source IP) to
random ports on a remote host. The target will determine that application is
listening at that port, and reply with an ICMP Destination Unreachable packet. It
will be forced to send many ICMP packets, eventually leading it to be unreachable
by other clients. Use the no form to disable this feature.
Syntax
dos-protection udp-flooding [bit-rate-in-kilo rate]
no dos-protection udp-flooding
rate – Maximum allowed rate. (Range: 64-2000 kbits/second)
Default Setting
Disabled, 1000 kbits/second
Command Mode
Global Configuration
Example
Console(config)#dos-protection udp-flooding 65
Console(config)#
To Next Page
Loading...
Need help?
General