System Management Guide Security
Edition: 01 3HE 11018 AAAC TQZZA 33
• option present
• source IP address
• source port
• TCP ACK
• TCP SYN
IPv6 CSM filters drop or accept incoming packets based on the following match
criteria:
• DSCP name
• destination IP address
• destination port
• ICMP code
•ICMP type
• source IP address
• source port
•TCP ACK
• TCP SYN
To prevent DoS-like attacks from overwhelming the control plane while ensuring that
critical control traffic such as signaling is always serviced in a timely manner, the
7705 SAR segregates the incoming control plane traffic into different queues. These
queues are used to shape and rate-limit traffic for each protocol or group of protocols,
or on a per-flow basis, with the main goal of mitigating DoS attacks and ensuring that
the control plane does not end up with more traffic than it can handle.
These queues are fixed use (each queue handles a certain type of traffic, which is
not user-configurable) and fixed configuration (each queue is configured for
particular rates and buffering capacity and is not user-configurable).
3.4.3 Exponential Login Backoff
A malicious user can gain CLI access via a dictionary attack: using a script to try
“admin” with any password.
The 7705 SAR increases the delay between login attempts exponentially to mitigate
attacks. It is applied to the console login. SSH and Telnet sessions terminate after
four attempts.
To Next Page
Loading...
