| General Security Measures
C
24
HAPTER
Denial of Service Protection
dos-protection
smurf
dos-protection
tcp-flooding
D
S
EFAULT
ETTING
Disabled, 1000 kbits/second
C
M
OMMAND
ODE
Global Configuration
E
XAMPLE
Console(config)#dos-protection echo-chargen 65
Console(config)#
This command protects against DoS smurf attacks in which a perpetrator
generates a large amount of spoofed ICMP Echo Request traffic to the
broadcast destination IP address (255.255.255.255), all of which uses a
spoofed source address of the intended victim. The victim should crash due
to the many interrupts required to send ICMP Echo response packets. Use
the no form to disable this feature.
S
YNTAX
[no] dos-protection smurf
D
S
EFAULT
ETTING
Enabled
C
M
OMMAND
ODE
Global Configuration
E
XAMPLE
Console(config)#dos-protection smurf
Console(config)#
This command protects against DoS TCP-flooding attacks in which a
perpetrator sends a succession of TCP SYN requests (with or without a
spoofed-Source IP) to a target and never returns ACK packets. These
half-open connections will bind resources on the target, and no new
connections can be made, resulting in a denial of service. Use the no form
to disable this feature.
S
YNTAX
dos-protection tcp-flooding [bit-rate-in-kilo rate]
no dos-protection tcp-flooding
rate – Maximum allowed rate. (Range: 64-2000 kbits/second)
D
S
EFAULT
ETTING
Disabled, 1000 kbits/second
– 934 –