EdgeSwitch CLI Command Reference
Denial of Service Commands
Note:
Denial of Service (DataPlane) is supported on XGS-III and later platforms only .
This section describes the commands you use to configure Denial of Service (DoS) Control . The EdgeSwitch
software provides support for classifying and blocking specific types of Denial of Service attacks . You can
configure your system to monitor and block these types of attacks:
• SIP = DIP: Source IP address = Destination IP address .
• First Fragment: TCP Header size smaller then configured value .
• TCP Fragment: IP Fragment Offset = 1 .
• TCP Flag: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and TCP Sequence Number = 0 or
TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set .
• L4 Port: Source TCP/UDP Port = Destination TCP/UDP Port .
• ICMP: Limiting the size of ICMP Ping packets .
• SMAC = DMAC: Source MAC address = Destination MAC address .
• TCP Port: Source TCP Port = Destination TCP Port .
• UDP Port: Source UDP Port = Destination UDP Port .
• TCP Flag & Sequence: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and TCP Sequence
Number = 0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set .
• TCP Offset: TCP Header Offset = 1 .
• TCP SYN: TCP Flag SYN set .
• TCP SYN & FIN: TCP Flags SYN and FIN set .
• TCP FIN & URG & PSH: TCP Flags FIN and URG and PSH set and TCP Sequence Number = 0 .
• ICMP V6: Limiting the size of ICMPv6 Ping packets .
• ICMP Fragment: Checks for fragmented ICMP packets .
dos-control all
This command enables Denial of Service protection checks globally .
Default
disabled
dos-control all
Format
Mode
Global Config
no dos-control all
This command disables Denial of Service prevention checks globally .
no dos-control all
Format
Mode
Global Config
dos-control sipdip
This command enables Source IP address = Destination IP address (SIP = DIP) Denial of Service protection . If the
mode is enabled, Denial of Service prevention is active for this type of attack . If packets ingress with SIP = DIP, the
packets will be dropped if the mode is enabled .
Default
disabled
dos-control sipdip
Format
Mode
Global Config
Ubiquiti Networks, Inc.
Switching Commands
306