108
Function:
Enable the function by which the switch will check if the source port is equal to
the destination port; the "no" form of this command disables this function
Parameter:
None
Default:
Disable the function by which the switch will check if the source port is equal to
the destination port
Command Mode:
Global Mode
Usage Guide:
With this function enabled, the switch will be able to drop TCP and UDP
data packet whose destination port is equal to the source port. This function can be used
associating the “dosattack-check ipv4-first-fragment enable” function so to block the IPv4
fragment TCP and UDP data packet whose destination port is equal to the source port
Example:
Drop the non-fragment TCP and UDP data packet whose destination port is
equal to the source port
Switch(Config)#dosattack-check srcport-equal-dstport enable
2.6.3.5 dosattack-check tcp-fragment enable
Command: [no] dosattack-check tcp-fragment enable
Function:
Enable the function by which the switch detects TCP fragment attacks; the “no”
form of this command disables this function
Parameter:
None
Default:
This function is not enabled on the switch by default
Command Mode:
Global Mode
Usage Guide:
By enabling this function the switch will be protected from the TCP
fragment attacks, dropping the data packets whose TCP fragment offset value is 1 or the
TCP head is shorter than the specified value. Use “dosattack-check tcp-header”
command to specify the length.
Example:
Enable the Checking TCP fragment attack function.
Switch(Config)#
dosattack-check tcp-fragment enable
2.6.3.6 dosattack-check tcp-header
Command: dosattack-check tcp-header <size>
Function:
Configure the minimum TCP head length permitted by the switch
Parameter:
<size> is the minimum TCP head length permitted by the switch
Default:
The length is 20 by default which is the shortest TCP head
Command Mode:
Global Mode
Usage Guide:
To use this function the “dosattack-check tcp-fragment enable” function
must be enabled
Example:
Set the minimum TCP head length permitted by the switch to 20
Switch(Config)# dosattack-check tcp-fragment enable