Enabling/Disabling Ip Services - Alcatel OmniSwitch 6624 Network Configuration Manual

Configuring IP
Setting the Port Scan Penalty Value Threshold
The port scan penalty value threshold is the highest point a the total penalty value for the switch can reach
before a trap is generated informing the administrator that a port scan is in progress.
To set the port scan penalty value threshold, enter the threshold value with the
command. For example, to set the port scan penalty value threshold to 2000, enter the following:
-> ip dos scan threshold 2000
Setting the Decay Value
The decay value is the amount the total penalty value is divided by every minute. As the switch records
incoming UDP and TCP packets, it adds their assigned penalty values together to create the total penalty
value for the switch. To prevent the switch from registering a port scan from normal traffic, the decay
value is set to lower the total penalty value every minute to compensate from normal traffic flow.
To set the decay value, enter the decay value with the
the decay value to 2, enter the following:
-> ip dos scan decay 2
Enabling DoS Traps
DoS traps must be enabled in order for the switch to warn the administrator that a port scan may be in
progress when the switch total penalty value cross the port scan penalty value threshold.
To enable SNMP trap generation, enter the
-> ip dos scan trap enable
To disable DoS traps, enter the same
-> ip dos scan trap disable

Enabling/Disabling IP Services

When a switch initially boots up, all supported TCP/UDP well-known service ports are enabled (open).
Although these ports provide access for essential switch management services, such as telnet, ftp, snmp,
etc., they also are vulnerable to DoS attacks. It is possible to scan open service ports and launch such
attacks based on well-known port information.
The ip service command allows you to selectively disable (close) TCP/UDP well-known service ports and
enable them when necessary. This command only operates on TCP/UDP ports that are opened by default.
It has no affect on ports that are opened by loading applications, such as RIP, BGP, etc.
In addition, the ip service command allows you to designate which port to enable or disable by specifying
the name of a service or the well-known port number associated with that service. For example, both of
the following commands disable the telnet service:
-> no ip service telnet
-> no ip service port 23
Note that specifying a port number requires the use of the optional port keyword.
To enable or disable more than one service in a single command line, enter each service name separated
by a space. For example, the following command enables the telnet, ftp, and snmp service ports:
-> ip service telnet ftp snmp
OmniSwitch 6624/6648 Network Configuration Guide
ip dos scan decay
ip dos scan trap command, as shown:
ip dos scan trap command, as shown:
April 2004
IP Configuration
ip dos scan threshold
command. For example, to set
page 12-13