Chapter 8
| General Security Measures
Denial of Service Protection
Protection for ICMP
dos-protection icmp
flood
dos-protection icmp
nuke
Command Mode
Global Configuration
Example
Console(config)#dos-protection
Console(config)#
This command protects against flooding attacks in which large amounts of (or just
over-sized) ICMP packets are sent to a host in order to attempt to crash the TCP/IP
stack on the host. An ICMP flood can consist of any type of ICMP message,
including smurf, ping-flood, or ping-of-death attacks.
Syntax
dos-protection icmp flood [bit-rate-in-kilo rate]
no dos-protection icmp flood
rate – Maximum allowed rate. (Range: 64-2048 kbits/second)
Default Setting
Disabled, 1024 kbits/second
Default Setting
Disabled
Command Mode
Global Configuration
Example
Console(config)#dos-protection icmp flood
Console(config)#
This command protects against nuke attacks which send IPv4/v6 fragmented or
otherwise invalid ICMP packets using a modified ping utility to repeatedly send the
corrupted data, thus slowing down the affected host until it comes to a complete
stop. Nuke attacks may also send an ICMP packets (usually through port 139) with a
"destination unreachable" message to cause connection breaks.
Syntax
[no] dos-protection icmp nuke
Default Setting
Disabled
– 296 –