Defining custom DoS classifications
You can define custom DoS attack classifications using access control list (ACL) rules. ACL
rules control which packets are authorized to pass through an interface. A custom DoS class is
defined by configuring criteria for an ACL rule and tagging the ACL with a DoS classification
label.
Note:
For general information about configuring policy rules, refer to
Note:
policy
Defining a DoS class using ACLs
1. Use the ip access-control-list command to enter the configuration mode of an
ACL. For example:
G350-001(super)# ip access-control-list 301
2. Use the ip-rule command to enter the configuration mode of an ACL rule. For example:
G350-001(super)# ip-rule 1
3. Use the dos-classification command to configure the name of the DoS attack
classification. Possible values are: fraggle, smurf, ip-spoofing,
other-attack-100, other-attack-101, other-attack-102,
other-attack-103, other-attack-104, and other-attack-105. For example:
G350-001(super-ACL 301/ip rule 1)# dos-classification smurf
Done!
4. Define the packet criteria to which the ACL rule should apply. See
criteria
on page 646.
For example, you can use destination-ip to specify that the rule applies to packets
with a specific destination address and you can use ip-protocol to specify that the rule
applies to packets with a specific protocol:
G350-001(super-ACL 301/ip rule 1)# destination-ip 255.255.255.255 0.0.0.0
Done!
G350-001(super-ACL 301/ip rule 1)# ip-protocol icmp
Done!
5. Use the composite-operation command to associate the ACL rule with the predefined
operation "deny-notify," which tells the gateway to drop any packet received that matches
the ACL rule, and send a trap upon dropping the packet. For example:
G350-001(super-ACL 301/ip rule 1)# composite-operation deny-notify
Done!
on page 637.
Special security features
Configuring
Policy lists rule
Issue 5 June 2008
85