Alteon Application Switch Operating System Application Guide
Advanced Denial of Service Protection
Document ID: RDWR-ALOS-V2900_AG1302 611
To view the current values associated with these DoS attacks
Use of the of the following commands:
To display a brief explanation of any of the DoS attacks that Alteon guards against
Preventing Other Types of DoS Attacks
Table 52 describes how to prevent other types of DoS attacks.
Protocol-Based Rate Limiting
Alteon lets you detect and block certain kinds of protocol-based attacks. These attacks can flood
servers with enough traffic to severely affect their performance or bring them down altogether.
Protocol-based rate limiting is implemented via filters. Alteon currently supports rate limiting on TCP,
UDP, and ICMP protocols. Each filter is configured with one of the above protocols, and then rate
limiting is enabled or disabled in the Filtering Advanced menu.
• TCP Rate Limiting—Limits new TCP connection requests or SYN packets. Alteon monitors the
rate of incoming TCP connection requests to a virtual IP address and limits the client requests
with a known set of IP addresses. For more information, see TCP Rate Limiting, page 613
.
>> Main# /cfg/security/dos/cur
>> Main# /info/security/dos
>> Main# /cfg/security/dos/help
Table 52: DoS Attack Prevention Commands
DoS Attack Description User Action
Ping Flood
Flood of ICMP packets
intentionally sent to overwhelm
servers. The server is removed
from service while it attempts
to reply to every ping.
Configure
4: A Rate Limiting Filter to
Thwart Ping Flooding, page 617 to limit
ICMP packets.
Ping of Death
A ping of death attack sends
fragmented ICMP echo request
packets. When these packets are
reassembled, they are larger
than the 65536 byte packets
allowed by the IP protocol.
Oversized packets cause
overflows in the server's input
buffer, and can cause a system
to crash, hang, or reboot.
Configure FragOversize or
Matching
and Denying Large Packets—ICMP Ping of
Death Example, page 623.
To Next Page
Loading...
Need help?
General