11.22. DDOS Commands

Command Purpose

To configure the system to resist ICMP flood attack, use the ip icmp intercept command in Global Config mode. To disable this capability, use the no form of this command.

Prerequisites

Command Syntax

ip icmp intercept ( maxcount NUMBER | )

no ip icmp intercept

Command Mode

Global Config

Default

By default, ip icmp intercept is unset.

If the maxcount is not specified , the default count is 500.

Usage

Use this command if you want to set the system to limit the ICMP packet rate.

Examples

The following example shows how to configure the ip icmp intercept:

Switch# configure terminal
Switch(config)# ip icmp intercept maxcount 100

The following example unset the ip icmp intercept:

Switch# configure terminal
Switch(config)# no ip icmp intercept

Related Commands

show ip-intercept config

Command Purpose

To configure the system to resist smurf attack, use the ip smurf intercept command in Global Config mode. To disable this capability, use the no form of this command.

Prerequisites

Command Syntax

ip smurf intercept

no ip smurf intercept

Command Mode

Global Config

Default

By default, ip smurf intercept is set.

Usage

Use this command if you want to set the system to resist smurf attack.

Examples

The following example shows how to configure the ip sumrf intercept:

Switch# configure terminal
Switch(config)# ip smurf intercept

The following example unset the ip smurf intercept:

Switch# configure terminal
Switch(config)# no ip smurf intercept

Related Commands

show ip-intercept config

Command Purpose

To configure the system to resist fraggle attack, use the ip fraggle intercept command in Global Config mode. To disable this capability, use the no form of this command.

Prerequisites

Command Syntax

ip fraggle intercept

no ip fraggle intercept

Command Mode

Global Config

Default

By default, ip fraggle intercept is unset.

Usage

Use this command if you want to set the system to resist fraggle attack.

Examples

The following example shows how to configure the ip fraggle intercept:

Switch# configure terminal
Switch(config)# ip fraggle intercept

The following example unset the ip fraggle intercept:

Switch# configure terminal
Switch(config)# no ip fraggle intercept

Related Commands

show ip-intercept config

Command Purpose

To configure the system to resist UDP flood attack, use the ip udp intercept command in Global Config mode. To disable this capability, use the no form of this command.

Prerequisites

Command Syntax

ip udp intercept ( maxcount NUMBER | )

no ip udp intercept

Command Mode

Global Config

Default

By default, ip udp intercept is unset.

If the maxcount is not specified , the default count is 500.

Usage

Use this command if you want to set the system to limit the UDP packet rate.

Examples

The following example shows how to configure the ip udp intercept:

Switch# configure terminal
Switch(config)# ip udp intercept maxcount 100

The following example unset the ip udp intercept:

Switch# configure terminal
Switch(config)# no ip udp intercept

Related Commands

show ip-intercept config

Command Purpose

To configure the system to resist SYN flood attack, use the ip tcp intercept command in Global Config mode. To disable this capability, use the no form of this command.

Prerequisites

Command Syntax

ip tcp intercept ( maxcount number | )

no ip tcp intercept

Command Mode

Global Config

Default

By default, ip tcp intercept is unset.

If the maxcount is not specified , the default count is 500.

Usage

Use this command if you want to set the system to limit the TCP packet rate with only SYN bit set.

Examples

The following example shows how to configure the ip tcp intercept:

Switch# configure terminal
Switch(config)# ip tcp intercept maxcount 100

The following example unset the ip tcp intercept:

Switch# configure terminal
Switch(config)# no ip tcp intercept

Related Commands

show ip-intercept config

Command Purpose

To configure the system to filter the small packet, use the ip small-packet command in Global Config mode. To disable this capability, use the no form of this command.

Prerequisites

Command Syntax

ip small-packet intercept ( length number | )

no ip small-packet intercept

Command Mode

Global Config

Default

By default, ip small-packet intercept is unset.

If the length is not specified , the default value is 28 bytes.

Usage

Use this command if you want to set the system to drop the packet which length is less than the configured value.

Examples

The following example configures the ip small-packet intercept:

Switch# configure terminal
Switch(config)# ip small-packet intercept length 32

The following example unset the ip small-packet intercept:

Switch# configure terminal
Switch(config)# no small-packet intercept

Related Commands

show ip-intercept config

Command Purpose

To configure the system to intercept the packet whose source MAC equals to destination MAC, use the ip maceq intercept command in global configuration mode. To disable this capability, use the no form of this command.

Prerequisites

Command Syntax

ip maceq intercept

no ip maceq intercept

Command Mode

Global Config

Default

By default, ip mac equal intercept is unset.

Usage

Use this command if you want to set the system to drop the packet whose source MAC equals to destination MAC.

Examples

The following example configures the ip intercept mac equals:

Switch# configure terminal
Switch(config)# ip maceq intercept

The following example unset the ip intercept mac equals:

Switch# configure terminal
Switch(config)# no ip maceq intercept

Related Commands

show ip-intercept config

Command Purpose

To configure the system to intercept the packet whose source IP address equals to destination IP address, use the ip ipeq intercept command in Global Config mode. To disable this capability, use the no form of this command.

Prerequisites

Command Syntax

ip ipeq intercept

no ip ipeq intercept

Command Mode

Global Config

Default

By default, ip ip equal intercept is unset.

Usage

Use this command if you want to set the system to drop the packet whose source IP address equals to destination IP address.

Examples

The following example configures the ip intercept ip equal:

Switch# configure terminal
Switch(config)# ip ipeq intercept

The following example unset the ip intercept ip equal:

Switch# configure terminal
Switch(config)# no ip ipeq intercept

Related Commands

show ip-intercept config

Command Purpose

To display the ip intercept configurations, use the show ip-intercept config command in privileged Privileged EXEC.

Prerequisites

Command Syntax

show ip-intercept config

Command Mode

Privileged EXEC

Default

None

Usage

Use this command to display ip intercept configurations.

Examples

The following example shows the configuration of ip intercept:

Switch# show ip-intercept config

Current DDoS Prevent configuration: 
============================================================
ICMP Flood Intercept             :Enable  Maxconut:100
UDP Flood Intercept              :Enable  Maxconut:100
SYN Flood Intercept              :Enable  Maxconut:100
Small-packet Attack Intercept    :Enable  Packet Length:32
Sumrf Attack Intercept           :Enable
Fraggle Attack Intercept         :Enable
MAC Equal Intercept              :Disable
IP Equal Intercept               :Disable 

Related Commands

show ip-intercept config

Command Purpose

To display the statistics of the intercept packets, use the show ip-intercept statistics command in privileged Privileged EXEC.

Prerequisites

Command Syntax

show ip-intercept statistics

Command Mode

Privileged EXEC

Default

None

Usage

Use this command to display ip intercept statistics.

Examples

The following is sample output from the show ip-intercept statistics command:

Switch# show ip-intercept statistics

Current DDoS Prevent statistics: 
============================================================
Resist Small-packet Attack packets number    :  17307
Resist ICMP Flood packets number             :  0
Resist SYN Flood packets number              :  0
Resist Fraggle Attack packets number         :  0
Resist UDP Flood packets number              :  0

Current DDoS Prevent mgmt-if statistics: 
============================================================
Resist ICMP Flood packets number             :  0
Resist SYN Flood packets number              :  0
Resist Fraggle Attack packets number         :  0
Resist UDP Flood packets number              :  0

Related Commands

clear ip-intercept statistics

Command Purpose

To clear the statistics of the intercept packets, use the clear ip-intercept statistics command in privileged Privileged EXEC.

Prerequisites

Command Syntax

clear ip-intercept statistics

Command Mode

Privileged EXEC

Default

None

Usage

Use this command to clear ip intercept statistics.

Examples

The following example displays how to use clear ip-intercept statistics command:

Switch# clear ip-intercept statistics
Switch# show ip-intercept statistics

Current DDoS Prevent statistics: 
============================================================
Resist Small-packet Attack packets number    :  0
Resist ICMP Flood packets number             :  0
Resist SYN Flood packets number              :  0
Resist Fraggle Attack packets number         :  0
Resist UDP Flood packets number              :  0

Current DDoS Prevent mgmt-if statistics: 
============================================================
Resist ICMP Flood packets number             :  0
Resist SYN Flood packets number              :  0
Resist Fraggle Attack packets number         :  0
Resist UDP Flood packets number              :  0

Related Commands

show ip-intercept statistics