Edge-Core ECS3510-10PD Management Manual page 950

| General Security Measures
C 24
HAPTER
Denial of Service Protection
dos-protection
tcp-xmas-scan
dos-protection
udp-flooding
E
XAMPLE
Console(config)#dos-protection syn-fin-scan
Console(config)#
This command protects against DoS TCP-xmas-scan in which a so-called
TCP XMAS scan message is used to identify listening TCP ports. This scan
uses a series of strangely configured TCP packets which contain a sequence
number of 0 and the URG, PSH and FIN flags. If the target's TCP port is
closed, the target replies with a TCP RST packet. If the target TCP port is
open, it simply discards the TCP XMAS scan. Use the no form to disable
this feature.
S
YNTAX
[no] dos-protection tcp-xmas-scan
D S
EFAULT ETTING
Enabled
C M
OMMAND ODE
Global Configuration
E
XAMPLE
Console(config)#dos-protection tcp-xmas-scan
Console(config)#
This command protects against DoS UDP-flooding attacks in which a
perpetrator sends a large number of UDP packets (with or without a
spoofed-Source IP) to random ports on a remote host. The target will
determine that application is listening at that port, and reply with an ICMP
Destination Unreachable packet. It will be forced to send many ICMP
packets, eventually leading it to be unreachable by other clients. Use the
no form to disable this feature.
S
YNTAX
dos-protection udp-flooding [bit-rate-in-kilo rate]
no dos-protection udp-flooding
rate – Maximum allowed rate. (Range: 64-2000 kbits/second)
D S
EFAULT ETTING
Disabled, 1000 kbits/second
C M
OMMAND ODE
Global Configuration
– 950 –