MES3000 Ethernet switch series 207
offset—byte offset within a packet. Basic offset is considered as a starting
point.
mask—mask. Packet analysis is performed only for the bytes digits which
have "1" specified as defined in the mask.
value—the set value.
no offset-list offset_list_name
Removes a previously created list.
5.30 Configuration of Protection from DoS Attacks
This type of commands provides means for blocking some widely spread types of DoS attacks.
Global Configuration Mode Commands
Command line in the global configuration mode appears as follows:
console (config)#
Table 5.252 Configuration commands for protection from DoS attacks
security-suite deny
martian-addresses
{reserved|add ip_address
|remove ip_address }
Denies frames with invalid (Martian) IP source addresses
(loopback, broadcast, multicast).
security-suite dos protect
{add|remove}
{stacheldraht|
invasor-trojan|
back-orifice-trojan}
Denies/permits certain types of traffic which are often used by
malware:
- stacheldraht—filters out TCP packets with source port 16660;
- invasor-trojan—filters out TCP packets with destination port
2140 and source port 2140;
- back-orifice-trojan—filters out UDP packets with destination
port 31337 and source port 1024.
Enables the security-suite command class.
Disables the security-suite command class.
Commands for Interface Configuration of Ethernet Interface and a Group of Ports
Command line in the interface configuration mode for Ethernet interface and a group of ports appears as
follows:
console (config-if)#
Table 5.253 Command for configuration of interface protection from DoS attacks
security-suite deny
{fragmented|icmp|syn}
{add|remove} {any|
ip_address [mask]}
ip_address: IP address
mask: mask in the form of
IP address or prefix
Creates/removes a rule denying traffic which fulfils criteria.
- fragmented—fragmented packets;
- icmp—ICMP traffic;
- syn—syn packets.
no security-suite deny
{fragmented|icmp|syn}
{add|remove} {any|
ip_address [mask]}
Restores the default value.
security-suite dos
syn-attack rate {any|
ip_address [mask]}
rate: 5–1000 packets per
second
ip_address: IP address
mask: mask in the form of
IP address or prefix
Specifies a threshold for syn requests for a definite IP
address/network. All frames exceeding the threshold will be
ignored.
no security-suite dos
syn-attack {any|
ip_address [mask]}
Restores the default value.
To Next Page
Loading...
