Defense Against Dos Attacks - Cisco 500 Series Administration Manual

Security
Denial of Service Prevention
Cisco 500 Series Stackable Managed Switch Administration Guide
from remote hosts. This scenario primarily concerns the device when it
serves as a server on the web.
• Back OrifaceTrojan—This is a variation of a trojan that uses Back Oriface
software to implant the trojan.

Defense Against DoS Attacks

The Denial of Service (DoS) Prevention feature assists the system administrator
in resisting such attacks in the following ways:
• Enable TCP SYN protection. If this feature is enabled, reports are issued
when a SYN packet attack is identified, and the attacked port can be
temporarily shut-down. A SYN attack is identified if the number of SYN
packets per second exceeds a user-configured threshold.
• Block SYN-FIN packets.
• Block packets that contain reserved Martian addresses (Martian Addresses
page)
• Prevent TCP connections from a specific interface (SYN Filtering page) and
rate limit the packets (SYN Rate Protection page)
• Configure the blocking of certain ICMP packets (ICMP Filtering page)
• Discard fragmented IP packets from a specific interface (IP Fragments
Filtering page)
• Deny attacks from Stacheldraht Distribution, Invasor Trojan, and Back
Orifice Trojan (Security Suite Settings page).
Dependencies Between Features
ACL and advanced QoS policies are not active when a port has DoS Protection
enabled on it. An error message appears if you attempt to enable DoS Prevention
when an ACL is defined on the interface or if you attempt to define an ACL on an
interface on which DoS Prevention is enabled.
A SYN attack cannot be blocked if there is an ACL active on an interface.
Default Configuration
The DoS Prevention feature has the following defaults:
21
462