Alteon Application Switch Operating System Application Guide
Advanced Denial of Service Protection
Document ID: RDWR-ALOS-V2900_AG1302 623
Matching All Patterns in a Group
Alteon is capable of matching on all patterns in a pattern group before the filter denies a packet. Use
the matchall command to instruct the filter to match all patterns in the group before performing the
deny action.
Note: The matchall command is configurable only for binary or ASCII patterns added to pattern
groups (pgroup). It does not apply to l7lkup filter strings configured with the /cfg/slb/layer7/
slb/addstr
command.
To match all patterns in a group
1. Use the base configuration in Matching and Denying a UDP Pattern Group, page 621.
2. In the Filter menu, enable the matching of all criteria.
Now, both patterns configured in Matching and Denying a UDP Pattern Group, page 621 must be
matched before a packet is denied and dropped.
3. Apply and save the configuration.
Matching and Denying Large Packets—ICMP Ping of Death Example
A ping of death attack sends fragmented ICMP echo request packets. When these packets are
reassembled, they are larger than the 65536 byte packets allowed by the IP protocol. Oversized
packets cause overflows in the server's input buffer, and can cause a system to crash, hang, or
reboot.
Large ICMP packets, such as in an ICMP ping of death attack, can be blocked using a deny filter
combined with binary patterns used to filter non-zero IP offsets or More-Fragment bits sent in the IP
flags.
An IP packet is determined to be an IP fragment if one the following occurs:
• The 13-bit fragment offset field in the IP header is non-zero
• The More-Fragments bit in the 3-bit flags field in the IP header is set.
The flags field begins at the seventh byte of the IP packet, and the fragment offset is right after this
field. The two fields taken together occupy a total of two (2) bytes. By searching for values greater
than 0000 and less than 4000, Alteon searches for either of these conditions, or both.
>> /cfg/slb/filt 90/adv/security/matchall ena
>> SLB Port 3# add 90
ID SLB String
8
9
BINMATCH=014F, offset=2, depth=0, op=eq, cont 256
STRMATCH=/default.htm offset=44, depth=30, op=eq, cont 256
To Next Page
Loading...
Need help?
General