Command Description
ip firewall screen dos-defense limit-
session-destination
When the host IP sessions table is overfilled, the host is unable to establish new
sessions and it drops the requests (this may happen during various DoS
attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting
the number of packets transmitted per second per destination address, which
attenuates DoS attacks.
ip firewall screen dos-defense limit-
session-source
When the host IP sessions table is overfilled, the host is unable to establish new
sessions and it drops the requests (this may happen during various DoS
attacks: SYN flood, UDP flood, ICMP flood, etc.). The command enables limiting
the number of packets transmitted per second per source address, which
attenuates DoS attacks.
ip firewall screen dos-defense syn-
flood
This command enables the protection against SYN flood attacks. When the
protection is enabled, the amount of TCP packets with the SYN flag set per
second for one destination address is limited. The attack leads to the host
reboot and its failure due to the necessity to process each TCP SYN packet and
the attempts to establish a TCP session.
ip firewall screen dos-defense udp-
threshold
This command enables the protection against UDP flood attacks. When the
protection is enabled, the amount of UDP packets per second for one
destination address is limited. The attack lead to the host reboot and its failure
due to the massive UDP traffic.
ip firewall screen dos-defense
winnuke
This command enables the protection against winnuke attacks. When the
protection is enabled,
TCP packets with the URG flag set and 139 destination port are blocked. The
attack leads to the older Windows versions (up to 95 version) failure.
ip firewall screen spy-blocking fin-no-
ack
The given command enables the blocking of TCP packets with the FIN flag set
and the ACK flag not set. These packets are specialized and it is possible to
determine a victim operational system by the respond.
ip firewall screen spy-blocking icmp-
type destination-unreachable
The given command enables the blocking of all 3 type ICMP packets
(destination-unreachable) including the packets generated by the router itself.
The protection prevents an attacker from learning about network topology and
hosts availability
ip firewall screen spy-blocking icmp-
type echo-request
The given command enables the blocking of all 8 type ICMP packets (echo-
request) including the packets generated by the router itself. The protection
prevents an attacker from learning about network topology and hosts
availability
ip firewall screen spy-blocking icmp-
type reserved
The given command enables the blocking of all 2 and 7 type ICMP packets
(reserved) including the packets generated by the router itself. The protection
prevents an attacker from learning about network topology and hosts
availability
To Next Page
Loading...
Need help?
General
