Ubiquiti EdgeSwitch ES-24-250W Administration Manual page 51

EdgeSwitch Administration Guide
™
Field
SMAC=DMAC
TCP FIN and URG and PSH
TCP Flag and Sequence
TCP SYN
TCP SYN and FIN
TCP Fragment
TCP Offset
Min TCP Hdr Size
ICMP Settings – These options help prevent the device and the network from attacks that involve issues with the ICMP echo request
packets (pings) that the device receives.
ICMP
Max ICMPv4 Size
ICMPv6
Max ICMPv6 Size
ICMP Fragment
Use the buttons to perform the following tasks:
• If you change any of the DoS settings, click Submit to apply the changes to the running configuration.
• Click Refresh to refresh the page with the most current data from the switch.
To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save.
Ubiquiti Networks, Inc.
Denial of Service Configuration Fields (Continued)
Description
When selected, this option allows the device to drop packets that have a source MAC address equal to
the destination MAC address.
When selected, this option allows the device to drop packets that have TCP Flags FIN, URG, and PSH
set and a TCP Sequence Number equal to 0.
When selected, this option allows the device to drop packets that have TCP control flags set to 0 and
the TCP sequence number set to 0.
When selected, this option allows the device to drop packets that have TCP Flags SYN set.
When selected, this option allows the device to drop packets that have TCP Flags SYN and FIN set.
When selected, this option allows the device to drop packets that have a TCP payload where the IP
payload length minus the IP header size is less than the minimum allowed TCP header size.
When selected, this option allows the device to drop packets that have a TCP header Offset set to 1.
The minimum TCP header size allowed. If First Fragment DoS prevention is enabled, the device will
drop packets that have a TCP header smaller than this configured value.
Enable this option to allow the device to drop ICMP packets that have a type set to ECHO_REQ (ping)
and a payload size greater than the ICMP payload size configured in the Max ICMPv4 Size field.
The maximum allowed ICMPv4 packet size. If ICMP DoS prevention is enabled, the device will drop
ICMPv4 ping packets that have a size greater then this configured maximum ICMPv4 packet size.
Enable this option to allow the device to drop ICMP packets that have a type set to ECHO_REQ (ping)
and a payload size greater than the ICMP payload size configured in the Max ICMPv6 Size field.
The maximum allowed IPv6 ICMP packet size. If ICMP DoS prevention is enabled, the switch will drop
IPv6 ICMP ping packets that have a size greater than this configured maximum ICMPv6 packet size.
Enable this option to allow the device to drop fragmented ICMP packets.
Configuring System Information
50