286
SIGNAMAX LLC • www.signamax.eu
masklen
The length of the destination network mask (by default:24)
ip tcp intercept land
LAND attack utilizes another foible of the system: many systems don’t know how to deal with
the SYN connection-establishing requests whose source address and port number are equated
with the destination address and destination port number; this causes the system disordered
or dead; therefore, if detect that the source address of a packet is equated with the
destination address, and th
e source port is equated with the destination port, discard the packet.
[
no
]
ip tcp intercept land
ip tcp intercept land
Command
Description
land
Land attack protection
ip tcp intercept list
The attack consumes the limited resources of system. The most famous one is SYN flood. This
is an attack which invades the three times handshaking mechanism maliciously and enables a
lot of half-open TCP/IP connections. This kind of attack utilizes IP spoofing, to send the SYN
requests seem legal to the victim’s system.
But in fact, the source address doesn’t exist or is not online at that time, so the responding
ACK message cannot reach the destination. The victim’s system is full with this kind of half-
open connections and the resources are exhausted while the legal connection cannot be
responded. For this kind of attack, we adopt a simple interception way: threshold value
interception.
Once the packet frequency of the SYN requests received from the server exceeds the
threshold limitation, the excessive ones are intercepted. Please notice that, since the validity
of the SYN packet is not distinguished, this kind of method still causes a part of legal requests
be intercepted, and cannot respond. Users can combine this with the pseudo-source address
detection function to filter most of attacking packets and reduce the situations that legal
packets are intercepted.
ip tcp intercept list
{
access-list-number | access-list-name
} [
maxcount
{
number
} ]
no
ip tcp intercept list
{
access-list-number | access-list-name
} [
maxcount
{
number
} ]
Syntax
Description
access-list-number
The access list number, it can be a number among 1 to 1000
access-list-name
The name of the access list, which only supports standard access list
Summary of Contents for 065-7434
Page 1: ...24 Port 10 100 L3 Switch Model 065 7434 Configuration Guide Revision A1 ...
Page 245: ...245 SIGNAMAX LLC www signamax eu Application Example Example of configuring DHCP Snooping ...
Page 302: ...302 SIGNAMAX LLC www signamax eu Default status no switching interface ...
Page 368: ......
Page 655: ...287 SIGNAMAX LLC www signamax eu Sub VLAN members in the system ...