DIS-200G Series Gigabit Ethernet Switch CLI Reference Guide
43
10.
DoS Prevention Commands
10-1
dos-prevention
This command is used to enable and configure the DoS prevention mechanism. Use the
no
form of this
command to reset DoS prevention to the default setting.
dos-prevention
DOS-ATTACK-TYPE
no dos-prevention
DOS-ATTACK-TYPE
Parameters
DOS-ATTACK-TYPE
Specifies the string that identifies the DoS type to be configured.
Default
By default all supported DoS types are disabled.
Command Mode
Global Configuration Mode.
Command Default Level
Level: 15.
Usage Guideline
This command is used to enabled and configure the DoS prevention mechanism for a specific DoS
attack type or for all supported types. The DoS prevention mechanisms (matching and taking action)
are hardware-based features.
When DoS prevention is enabled, the Switch will log the event if any attack packet was received.
The command no dos-prevention with the all keyword is used to disable the DoS prevention
mechanism for all supported types. All the related settings will be reverted back to the default for the
specified attack types.
The following well-known DoS types which can be detected by most switches:
Blat:
This type of attack will send packets with TCP/UDP source port equals to destination port to the
target device. It may cause the target device respond to itself.
Land:
A LAND attack involves with IP packets where the source and destination address are set to
address of the target device. It may cause the target device reply to itself continuously.
TCP-NULL-scan:
Port scanning by using specific packets, which contain a sequence number of 0 and
no flags.
TCP-SYN-fin:
Port scanning by using specific packets, which contain SYN and FIN flags.
TCP-SYN-SRCport-less-1024:
Port scanning by using specific packets, which contain source port 0-
1023 and SYN flag.
TCP-xmas-scan:
Port scanning by using specific packets, which contain a sequence number of 0 and
the Urgent (URG), Push (PSH), and FIN flags.
Ping-death:
A ping of death is a type of attack on a computer that involves sending a malformed or
otherwise malicious ping to a computer. A ping is normally 64 bytes in size; many computers cannot
handle a ping large than the maximum IP packet size, which is 65,535 bytes. Sending a ping of this size
can crash the target computer. Traditionally, this bug has been relatively easy to exploit. Generally,
sending a 65536 byte ping packet is illegal according to networking protocol, but a packet of such a size
can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can
occur, which often cause a system crash.