TP-Link T1600G-18TS Configuration Manual page 592

Configuring Network Security
Step 3
Step 4
ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | ping-
flood | syn-flood | win-nuke | smurf | ping-of-death }
Configure one or more defend types according to your needs. The types of DoS attack are
introduced as follows.
land: The attacker sends a specific fake SYN (synchronous) packet to the destination host.
Because both the source IP address and the destination IP address of the SYN packet are
set to be the IP address of the host, the host will be trapped in an endless circle of building
the initial connection.
scan-synfin: The attacker sends the packet with its SYN field and the FIN field set to 1.
The SYN field is used to request initial connection whereas the FIN field is used to request
disconnection. Therefore, a packet of this type is illegal.
xma-scan: The attacker sends the illegal packet with its TCP index, FIN, URG and PSH field
set to 1.
null-scan: The attacker sends the illegal packet with its TCP index and all the control fields
set to 0. During the TCP connection and data transmission, the packets with all the control
fields set to 0 are considered as the illegal packets.
port-less-1024: The attacker sends the illegal packet with its TCP SYN field set to 1 and
source port smaller than 1024.
blat: The attacker sends the illegal packet with the same source port and destination port on
Layer 4 and with its URG field set to 1. Similar to the Land Attack, the system performance
of the attacked host is reduced because the Host circularly attempts to build a connection
with the attacker.
ping-flood: The attacker floods the destination system with Ping packets, creating a
broadcast storm that makes it impossible for system to respond to legal communication.
syn-flood: The attacker uses a fake IP address to send TCP request packets to the server.
Upon receiving the request packets, the server responds with SYN-ACK packets. Since the
IP address is fake, no response will be returned. The server will keep on sending SYN-ACK
packets. If the attacker sends overflowing fake request packets, the network resource will
be occupied maliciously and the requests of the legal clients will be denied.
win-nuke: An Operation System with bugs cannot process the URG (Urgent Pointer) of TCP
packets. If the attacker sends TCP packets to port139 (NetBIOS) of the host with Operation
System bugs, it will cause blue screen.
smurf: The attacker broadcasts large numbers of Internet Control Message Protocol (ICMP)
packets with the intended victim's spoofed source IP to a computer network using an IP
broadcast address. Most devices on a network will respond to this by sending a reply to
the source IP address. If the number of devices on the network that receive and respond
to these packets is very large, the victim's host will be flooded with traffic, which can slow
down the victim's host and cause the host impossible to work on.
ping-of-death: The attacker sends an improperly large Internet Control Message Protocol
(ICMP) echo request packet, or a ping packet, with the purpose of overflowing the input
buffers of the destination host and causing the host to crash.
show ip dos-prevent
Verify the Dos Defend configuration.
DoS Defend Configuration
Configuration Guide 569