DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide
230
DoS Attack Prevention Commands
18-1 defense
This command is used to defend DoS attacks. Use the no form of the command to disable the defense attack
defense [land | blat | null-scan | xmascan | tcp-synfin | port-less-1024 | ping-death | tiny-frag] enable
no defense [land | blat | null-scan | xmascan | tcp-synfin | port-less-1024 | ping-death | tiny-frag] enable
Parameters
land
Enable the defense land attack function.
blat
Enable the defense blat attack function.
null-scan
Enable the defense null scan attack function.
xmascan
Enable the defense xmas scan attack function.
tcp-synfin
Enable the defense tcp with synfin attack function.
port-less-1024
Enable the defense source port less 1024 attack function.
ping-death
Enable the defense ping of death attack function.
tiny-frag
Enable the defense tcp tiny fragment attack function.
Default
Defense land, blat, null-scan, xmascan, tcp-synfin, port-less-1024, ping-death, tiny-
frag disabled.
Command Mode
Global Configuration Mode.
Command Default Level
Level: 15.
Usage Guideline
Defense DoS attack types are listed as bellow:
Land attack
A Land attack is a DoS attack that consists of sending a special poison spoofed
packet to a computer, causing it to lock up. A Land attack involves IP packets
where the source and destination address are set to address the same
device. The reason a Land attack works is because it causes the machine to
reply to itself continuously.
Detect method
- Check whether the source address is equal to destination
address of a received IP packet.
Blat attack
A DoS attack in which the TCP/IP stack is flooded with SYN packets that have
spoofed source port number that match the destination port number causes
the machine to lock up.
Detect method
- Check whether the source port is equal to destination port of a
received TCP packet.
Null Scan
Hackers use the TCP NULL scan to identify listening TCP ports. This scan also
uses a series of strangely configured TCP packets, which contain no flags.
Again, this type of scan can get through some firewalls and boundary routers
that filter on incoming TCP packets with standard flag settings. If the target
device’s TCP port is closed, the target device sends a TCP RST packet in
reply. If the target device’s TCP port is open, the target discards the TCP
NULL scan, sending no reply.
Detect method
- Check whether a received TCP packet contains a sequence
number of 0 and no flags.
Содержание DXS-3600-16S
Страница 1: ...CLI Reference Guide Product Model DXS 3600 Series Layer 2 3 Managed 10GbE Switch Release 1 10 ...
Страница 232: ...DXS 3600 Series 10GbE Layer 2 3 Switch CLI Reference Guide 224 ...
Страница 301: ...DXS 3600 Series 10GbE Layer 2 3 Switch CLI Reference Guide 293 ...
Страница 349: ...DXS 3600 Series 10GbE Layer 2 3 Switch CLI Reference Guide 341 ...
Страница 494: ...DXS 3600 Series 10GbE Layer 2 3 Switch CLI Reference Guide 486 ...
Страница 564: ...DXS 3600 Series 10GbE Layer 2 3 Switch CLI Reference Guide 556 ...
Страница 649: ...DXS 3600 Series 10GbE Layer 2 3 Switch CLI Reference Guide 641 ...