Table of Contents
Advertisement
| General Security Measures
C
25
HAPTER
Denial of Service Protection
dos-protection
tcp-syn-fin-scan
dos-protection
tcp-udp-port-zero
This command protects against DoS TCP-SYN/FIN-scan attacks in which a
TCP SYN/FIN scan message is used to identify listening TCP ports. The scan
uses a series of strangely configured TCP packets which contain SYN
(synchronize) and FIN (finish) flags. If the target's TCP port is closed, the
target replies with a TCP RST (reset) packet. If the target TCP port is open,
it simply discards the TCP SYN FIN scan. Use the no form to disable this
feature.
S
YNTAX
[no] dos-protection syn-fin-scan
D
S
EFAULT
ETTING
Enabled
C
M
OMMAND
ODE
Global Configuration
E
XAMPLE
Console(config)#dos-protection syn-fin-scan
Console(config)#
This command protects against DoS attacks in which the UDP or TCP
source port or destination port is set to zero. This technique may be used
as a form of DoS attack, or it may just indicate a problem with the source
device. Use the no form to restore the default setting.
S
YNTAX
dos-protection tcp-udp-port-zero {drop | forward}
no dos-protection tcp-udp-port-zero
drop – Drops all packets with the Layer 4 source port or destination
port set to zero.
forward – Forwards all packets with the Layer 4 source port or
destination port set to zero.
D
S
EFAULT
ETTING
Drop
C
M
OMMAND
ODE
Global Configuration
E
XAMPLE
Console(config)#dos-protection tcp-udp-port-zero forward
Console(config)#
– 960 –
- Quick Links:
- Connecting to the Switch
Hide quick links:
Advertisement
Chapters
Table of Contents
