HPE FlexNetwork 10500 Series Security Configuration Manual page 495

Step
3. Configure signature
detection for
single-packet attacks.
4. (Optional.) Set the
maximum length of safe
ICMP or ICMPv6 packets.
Command
•
signature detect { fraggle |
fragment | impossible | land |
large-icmp | large-icmpv6 | smurf
| snork | tcp-all-flags |
tcp-fin-only | tcp-invalid-flags |
tcp-null-flag | tcp-syn-fin |
tiny-fragment | traceroute |
udp-bomb | winnuke } [ action
{ { drop | logging } * | none } ]
•
signature detect
{ ip-option-abnormal |
ping-of-death | teardrop } action
{ drop | logging } *
•
signature detect icmp-type
{ icmp-type-value |
address-mask-reply |
address-mask-request |
destination-unreachable |
echo-reply | echo-request |
information-reply |
information-request |
parameter-problem | redirect |
source-quench | time-exceeded |
timestamp-reply |
timestamp-request } [ action
{ { drop | logging } * | none } ]
•
signature detect icmpv6-type
{ icmpv6-type-value |
destination-unreachable |
echo-reply | echo-request |
group-query | group-reduction |
group-report | packet-too-big |
parameter-problem |
time-exceeded } [ action { { drop |
logging } * | none } ]
•
signature detect ip-option
{ option-code | internet-timestamp
| loose-source-routing |
record-route | route-alert |
security | stream-id |
strict-source-routing } [ action
{ { drop | logging } * | none } ]
•
signature detect ipv6-ext-header
ext-header-value [ action { { drop |
logging } * | none } ]
signature { large-icmp |
large-icmpv6 } max-length length
478
Remarks
By default, signature detection
is not configured for
single-packet attacks.
You can configure signature
detection for multiple
single-packet attacks.
By default, the maximum
length of safe ICMP or ICMPv6
packets is 4000 bytes.
A large ICMP or ICMPv6
attack occurs if an ICMP or
ICMPv6 packet larger than the
specified length is detected.