Security Commands
352
ProSAFE M7100 Managed Switches
Denial of Service Commands
This section describes the commands you use to configure Denial of Service (DoS) Control. The
software provides support for classifying and blocking specific types of Denial of Service attacks.
You can configure your system to monitor and block these types of attacks:
• SIP=DIP: Sour
ce IP address = Destination IP address.
• First Fragment: TCP Header size smaller than configured value.
•
TCP Fragment: IP Fragment Offset = 1.
•
TCP Flag: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and TCP
Sequenc
e Number = 0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or
TCP Flags SYN and FIN set.
• L4 Port: Source TCP/UDP Port = Destination TCP/UDP Port.
•
ICMP: Limiting the size of ICMP Ping packets.
•
SMAC = DMAC: Source MAC address = Destination MAC address.
•
TCP Port: Source TCP Port = Destination TCP Port.
•
UDP Port: Source UDP Port = Destination UDP Port.
• TCP Flag & Sequence: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and
T
CP Sequence Number = 0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number =
0 or TCP Flags SYN and FIN set.
• TCP Offset: TCP Header Offset = 1.
•
TCP SYN: TCP Flag SYN set.
•
TCP SYN & FIN: TCP Flags SYN and FIN set.
•
TCP FIN & URG & PSH: TCP Flags FIN and URG and PSH set and TCP Sequence Number = 0.
•
ICMP V6: Limiting the size of ICMPv6 Ping pack
ets.
• ICMP Fragment: Checks for fragmented ICMP packets.
dos-control all
This command enables Denial of Service protection checks globally.
Default disabled
Format dos-control all
Mode Global Config
To Next Page
Loading...
