Chapter 8
| General Security Measures
Denial of Service Protection
dos-protection tcp
syn-rst-scan
dos-protection tcp
syn-urg-block
This command protects against SYN/RST-scan attacks in which a TCP SYN/RST scan
message is used to stop an ongoing TCP session. An attacker can forge a set of
Synchronize (SYN) and Reset (RST) packets in an attempt to guess a TCP sequence
number within a narrow range (or TCP window) of values. Successful exploitation of
this issue results in a termination of the TCP session. Depending on the targeted
software or hardware, the outcome may result in a simple denial of service, or it
may leave the system in an unpredictable state, possibly leading to data loss or
additional vulnerabilities.
Syntax
[no] dos-protection tcp syn-rst-scan
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
In these packets, SYN=1 and RST=1.
Example
Console(config)#dos-protection tcp syn-rst-scan
Console(config)#
This command protects against attacks in which a TCP SYN/URG message is used to
interrupt or abort the queued stream.
Syntax
[no] dos-protection tcp syn-urg-block
Default Setting
Disabled
Command Mode
Global Configuration
Command Usage
In these packets, SYN=1 and URG=1.
Example
Console(config)#dos-protection tcp syn-urg-block
Console(config)#
– 306 –