Table of Contents
Advertisement
This command protects against DoS TCP-flooding attacks in which a
dos-protection
perpetrator sends a succession of TCP SYN requests (with or without a
tcp-flooding
spoofed-Source IP) to a target and never returns ACK packets. These
half-open connections will bind resources on the target, and no new
connections can be made, resulting in a denial of service. Use the no form
to disable this feature.
S
YNTAX
dos-protection tcp-flooding [bit-rate-in-kilo rate]
no dos-protection tcp-flooding
D
EFAULT
Disabled, 1000 kbits/second
C
OMMAND
Global Configuration
E
XAMPLE
Console(config)#dos-protection tcp-flooding 65
Console(config)#
This command protects against DoS TCP-null-scan attacks in which a TCP
dos-protection
NULL scan message is used to identify listening TCP ports. The scan uses a
tcp-null-scan
series of strangely configured TCP packets which contain a sequence
number of 0 and no flags. If the target's TCP port is closed, the target
replies with a TCP RST (reset) packet. If the target TCP port is open, it
simply discards the TCP NULL scan. Use the no form to disable this feature.
S
YNTAX
[no] dos-protection tcp-null-scan
D
EFAULT
Enabled
C
OMMAND
Global Configuration
E
XAMPLE
Console(config)#dos-protection tcp-null-scan
Console(config)#
rate – Maximum allowed rate. (Range: 64-2000 kbits/second)
S
ETTING
M
ODE
S
ETTING
M
ODE
– 915 –
| General Security Measures
C
25
HAPTER
Denial of Service Protection
Advertisement
Chapters
Table of Contents
