Ruijie RG-S2900G-E Series

To Next Page

To Previous Page

Configuration Guide DoS Protection Configuration

message) will contain SYN flag, and the following messages will all contain ACK flag.

Based on such an assumption, some protocol stack doesn’t have the corresponding

handling process for TCP message with no flag. Therefore, such a protocol stack

may crash upon receipt of such a message. The attacker will utilize this feature to

attach the target host.

3. TCP message with FIN flag but no ACK flag

Under normal conditions, except for the first message (SYN message), all other

messages will contain the ACK flag, including TCP connection termination message

(with FIN flag). However, some attackers may send a TCP message with FIN flag but

no ACK flag to the target host, leading to the crash of target host.

DoS Protection Configuration

Default DoS Protection Configuration

The default DoS protection configuration is given below:

Function

Default setting

land attack

Off

against invalid tcp attack

Off

Defend against Land attack

To enable Land attack protection function, run the following commands:

Command

Function

Ruijie# configure terminal

Enter global configuration mode

Ruijie(config)# ip deny land

Enable Land attack protection function

Ruijie(config)# end

Return to privilege mode

Defend against invalid TCP message attack

To enable invalid TCP message attack protection function, run the following

commands:

Command

Function

Ruijie# configure terminal

Enter global configuration mode

Ruijie(config)# ip deny invalid-tcp

Enable invalid TCP message attack

protection function

Ruijie(config)# end

Return to privilege mode

Ruijie RG-S2900G-E Series - Page 636