beautypg.com

Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Page 924

background image

IPv4 Software Access Control List (ACL) Commands

Software Reference for x310 Series Switches

35.38

AlliedWare Plus

TM

Operating System - Version 5.4.4C

C613-50046-01 REV A

Usage

See the below table for more information about the DoS attacks recognized by this
command:

Type of DoS
attack

Description

ipoptions

This type of attack occurs when an attacker sends packets
containing bad IP options to a victim node. There are many
different types of IP options attacks and this software does not
try to distinguish between them. Rather, if this defense is
activated, the number of ingress IP packets containing IP
options is counted. If the number exceeds 20 packets per
second, the switch considers this a possible IP options attack.

This defense does not require the CPU to monitor packets, so
does not put extra load on the switch's CPU.

land

This type of attack occurs when the Source IP and Destination IP
address are the same. This can cause a target host to be
confused. Since packets with the same source and destination
addresses should never occur, these packets are dropped when
this attack is enabled.

This defense does not require the CPU to monitor packets, so
does not put extra load on the switch's CPU.

ping-of-death

This type of attack results from a fragmented packet which,
when reassembled, would exceed the maximum size of a valid
IP datagram. To detect this attack, the final fragment of ICMP
packets has to be sent to the CPU for inspection. This defense
can therefore load the CPU.

Note that the extra CPU load will not affect normal traffic
switching between ports, but other protocols such as IGMP and
STP may be affected. This defense is not recommended where a
large number of fragmented packets are expected.

smurf

This type of attack is an ICMP ping packet to a broadcast
address. Although routers should not forward packets to local
broadcast addresses anymore (see RFC2644), the Smurf attack
can still be explicitly discarded with this command. In order for
the Smurf attack to work, the broadcast IP address is required.
Any ICMP Ping packet with this destination address is
considered an attack.

This defense does not require the CPU to monitor packets, so
does not put extra load on the switch's CPU.

See also other documents in the category Allied Telesis Computer hardware: