Online demo
Contact us
6.5.1. dos
Syntax
dos (daeqsa-deny|icmp-frag-pkts-deny|icmpv4-ping-max-check|icmpv6-ping-max-check|ipv6-min-frag-size-check|land-deny|nullscan-deny|pod-deny|smurf-deny|syn-sportl1024-deny|synfin-deny|synrst-deny|tcp-frag-off-min-check|tcpblat-deny|tcphdr-min-check|udpblat-deny|xmas-deny)
dos icmp-ping-max-length MAX_LEN
dos ipv6-min-frag-size-length MIN_LEN
dos smurf-netmask MASK
dos tcphdr-min-length HDR_MIN_LEN
no dos (tcp-frag-off-min-check|synrst-deny|synfin-deny|xma-deny|nullscan-deny|syn-sportl1024-deny|tcphdr-min-check|smurf-deny|icmpv6-ping-max-check|icmpv4-ping-max-check|icmp-frag-pkts-deny|ipv6-min-frag-size-check|pod-deny|tcpblat-deny|udpblat-deny|land-deny|daeqsa-deny)
Parameter
daeqsa-deny |
Drops the packets if the destination MAC address is equal to the source MAC address. |
icmp-frag-pkts-deny |
Drops the fragmented ICMP packets. |
icmpv4-ping-max-check |
Checks the maximum size of ICMP ping packets, and drops the packets larger than the maximum packet size defined by the command dos icmp-ping-max-length MAX_LEN. |
icmpv6-ping-max-check |
Checks the maximum size of ICMPv6 ping packets, and drops the packets larger than the maximum packetsize defined by the commanddos icmp-ping-max-length MAX_LEN. |
ipv6-min-frag-size-check |
Checks the minimum size of IPv6 fragments, and drops the packets smaller than the minimum size defined by the commanddos ipv6-min-frag-size-length MIN_LEN. |
land-deny |
Drops the packets if the source IP address is equal tothe destination IP address. |
nullscan-deny |
Drops the packets with NULL scan. |
pod-deny |
Avoids ping of death attack. |
smurf-deny |
Avoids smurf attack. |
syn-sportl1024-deny |
Drops SYN packets with sport less than 1024. |
synfin-deny |
Drops the packets with SYN and FIN bits set. |
synrst-deny |
Drops the packets with SYN and RST bits set. |
tcp-frag-off-min-check |
Drops the TCP fragment packets with offset equals toone. |
tcpblat-deny |
Drops the packages if the TCP source port is equal tothe TCP destination port. |
tcphdr-min-check |
Checks the minimum TCP header and drops the TCP packets with the header smaller than the minimum size defined by the commanddos tcphdr-min-length HDR_MIN_LEN. |
udpblat-deny |
Drops the packets if the UDP source port equals to the UDP destination port. |
xmas-deny |
Drops the packets if the sequence number is zero, andthe FIN, URG and PSH bits are set. |
icmp-ping-max-length MAX_LEN |
Specify the maximum size of the ICMPv4/ICMPv6 ping packets. The valid range is from 0 to 65535 bytes,and the default value is 512 bytes. |
ipv6-min-frag-size-length MIN_LEN |
Specify the minimum size of IPv6 fragments. The valid range is from 0 to 65535 bytes, and default value is1240 bytes. |
smurf-netmask MASK |
Specify the netmask of smurf attack. The length rangeis from 0 to 323 bytes, and default length is 0 bytes. |
tcphdr-min-length HDR_MIN_LEN |
Specify the minimum TCP header length. The length range is from 0 to 31 bytes, and default length is 20 bytes. |
Default
All of DoS protections are enabled by default. The default parameter are:
The maximum size of ICMP ping packages is 512 bytes
The minimum size of IPv6 fragments is 1240 bytes.
The Smurf netmask length is 0 bytes.
The minimum TCP header length is 20 bytes.
Mode
Global Configuration
Usage
To enable the specific Denial of Service (DoS) protection, use the
command dos in the Global Configuration mode.
Example
The following example sets the minimum fragment size to 1024 bytes, and enables the minimum size of IPv6 fragments validation.
Switch(config)# dos ipv6-min-frag-size-length 1024
Switch(config)# dos ipv6-min-frag-size-check