DoS Attack Prevention Configuration Commands
The DoS ICMP sub-function can drop the following two kinds of packets: 1.
ICMPv4/v6 ping packets whose size is larger than icmp-value; 2. ICMP packets.
The DoS l4port sun-function can drop those TCP/UDP packets whose source port
is equal to the destination port.
The DoS MAC sub-function can drop those packets whose source MACs are equal
to destination MACs.
The DoS tcpflags sub-function can drop the following 4 kinds of TCP packets: 1.
TCP SYN flag=1 & source port<1024; 2.TCP control flags = 0 & sequence = 0;
3.TCP FIN URG PSH =1 & sequence = 0; 4.TCP FIN SYN =1.
The DoS tcpfrag sub-function can drop the following two kinds of TCP packets: 1.
The TCP header is smaller than the first TCP fragment of
; 2. TCP
fragments whose offset values are 1.
The following example shows how to set the global DoS attack prevention function
to prevent those IP packets whose source IPs are destination IP addresses.
Switch_config#dos enable ip
The following example shows how to set DoS attack prevention in global mode to
prevent those packets whose maximum ICMP length is bigger than 255.
Switch_config#dos enable icmp 255
1.1.2 show dos
show dos
It is used to show all DoS attack prevention functions that users have set.
Default value
EXEC mode
The following example shows how to display all DoS attack prevention functions.
Switch_config#dos enable all
Switch_config#show dos
dos enable ip
dos enable ipv4firstfrag
dos enable tcpflags
dos enable l4port
dos enable mac