Support User Manuals

D-Link DES-3200 Series Washer/Dryer User Manual

Open as PDF

of 652

xStack

®

DES-3200 Series Layer 2 Managed Fast Ethernet Switch CLI Reference Guide

224

Chapter 24

DoS Attack Prevention

Command List

config dos_prevention dos_type [{land_attack | blat_attack | tcp_null_scan | tcp_xmasscan |

tcp_synfin | tcp_syn_srcport_less_1024 | ping_death_attack | tcp_tiny_frag_attack} | all]

{action [drop] | state [enable | disable]}

show dos_prevention {land_attack | blat_attack | tcp_null_scan | tcp_xmasscan | tcp_synfin |

tcp_syn_srcport_less_1024 | ping_death_attack | tcp_tiny_frag_attack}

config dos_prevention trap [enable | disable]

config dos_prevention log [enable | disable]

24-1 config dos_prevention dos_type

Description

This command is used to configure the prevention of each Denial-of-Service (DoS) attack,

including state and action. The packet matching will be done by hardware. For a specific type of

attack, the content of the packet will be matched against a specific pattern.

Format

config dos_prevention dos_type [{land_attack | blat_attack | tcp_null_scan | tcp_xmasscan

| tcp_synfin | tcp_syn_srcport_less_1024 | ping_death_attack | tcp_tiny_frag_attack} | all]

{action [drop] | state [enable | disable]}

Parameters

land_attack - (Optional) Check whether the source address is equal to destination address of a

received IP packet.

blat_attack - (Optional) Check whether the source port is equal to destination port of a received

TCP packet.

tcp_null_scan - (Optional) Check whether a received TCP packet contains a sequence number

of 0 and no flags

tcp_xmasscan - (Optional) Check whether a received TCP packet contains URG, Push and FIN

flags.

tcp_synfin - (Optional) Check whether a received TCP packet contains FIN and SYN flags.

tcp_syn_srcport_less_1024 - (Optional) Check whether the TCP packets source ports are less

than 1024 packets.

ping_death_attack - (Optional) Detect whether received packets are fragmented ICMP packets.

tcp_tiny_frag_attack - (Optional) Check whether the packets are TCP tiny fragment packets.

all - Specify all DoS attack type.

action – (Optional) When enabling DoS prevention, the following actions can be taken.

drop – Drop DoS attack packets.

state - (Optional) Specify the DoS attack prevention state.

enable - Enable DoS attack prevention.

disable - Disabe DoS attack prevention.

Restrictions

Only Administrator, Operator and Power-User level users can issue this command.

previous next