Configuring DoS Defend DoS Defend Configuration
User Guide
937
Step 2 ip dos-prevent
Globally enable the DoS defend feature.
Step 3 ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | ping-flood |
syn-flood | win-nuke | ping-of-death | smurf}
Configure one or more defend types according to your needs. The types of DoS attack are
introduced as follows.
land:
The attacker sends a specic fake SYN (synchronous) packet to the destination host. Because
both the source IP address and the destination IP address of the SYN packet are set to be the IP
address of the host, the host will be trapped in an endless circle of building the initial connection.
scan-synfin:
The attacker sends the packet with its SYN field and the FIN field set to 1. The SYN
eld is used to request initial connection whereas the FIN eld is used to request disconnection.
Therefore, a packet of this type is illegal.
xma-scan:
The attacker sends the illegal packet with its TCP index, FIN, URG and PSH eld set to 1.
null-scan:
The attacker sends the illegal packet with its TCP index and all the control elds set to 0.
During the TCP connection and data transmission, the packets with all the control elds set to 0 are
considered as the illegal packets.
port-less-1024:
The attacker sends the illegal packet with its TCP SYN eld set to 1 and source port
smaller than 1024.
blat:
The attacker sends the illegal packet with the same source port and destination port on Layer
4 and with its URG eld set to 1. Similar to the Land Attack, the system performance of the attacked
host is reduced because the Host circularly attempts to build a connection with the attacker.
ping-flood:
The attacker floods the destination system with Ping packets, creating a broadcast
storm that makes it impossible for system to respond to legal communication.
syn-flood:
The attacker uses a fake IP address to send TCP request packets to the server. Upon
receiving the request packets, the server responds with SYN-ACK packets. Since the IP address is
fake, no response will be returned. The server will keep on sending SYN-ACK packets. If the attacker
sends overowing fake request packets, the network resource will be occupied maliciously and the
requests of the legal clients will be denied.
win-nuke:
An Operation System with bugs cannot process the URG (Urgent Pointer) of TCP packets.
If the attacker sends TCP packets to port139 (NetBIOS) of the host with Operation System bugs, it
will cause blue screen.
ping-of-death: Ping of Death attack means that the attacker sends abnormal ping packets larger
than 65535 bytes to cause system crash on the target computer.
Note: Only T2600G-18TS supports Ping of Death.
smurf: Smurf attack is a distributed denial-of-service attack in which large numbers of Internet
Control Message Protocol (ICMP) packets with the intended victim’s spoofed source IP are
broadcast to a computer network using an IP broadcast address. Most devices on a network will, by
default, respond to this by sending a reply to the source IP address. If the number of machines on
the network that receive and respond to these packets is very large, the victim’s computer will be
flooded with traffic.
Note: Only T2600G-18TS supports Smurf Attack.
Step 4 show ip dos-prevent
Verify the DoS Defend configuration.
Step 5 end
Return to privileged EXEC mode.
To Next Page
Loading...
Need help?
General
