Set dos smurf – Allied Telesis AT-S63 User Manual

Page 336

background image

Chapter 19: Denial of Service Defense Commands

336

Section II: Advanced Operations

SET DOS SMURF

Syntax

set dos smurf port=

port

state=enable|disable

Parameters

port

Specifies the switch ports on which you want to enable

or disable SMURF defense. You can select more than
one port at a time.

state

Specifies the state of the SMURF defense. The options

are:

enable

Activates the defense.

disable

Deactivates the defense. This is the default.

Description

This command activates and deactivates the SMURF DoS defense.

This DoS attack is instigated by an attacker sending a Ping request
containing a broadcast address as the destination address and the
address of the victim as the source of the Ping. This overwhelms the
victim with a large number of Ping replies from other network nodes.

A switch port defends against this form of attack by examining the
destination addresses of ingress Ping packets and discarding those that
contain a broadcast address as a destination address.

To implement this defense, you need to specify the IP address of any
device on your network, preferably the lowest IP address, and a mask
using “SET DOS” on page 330. The switch uses the combination of the
two to determine your network’s broadcast address. Any ingress Ping
packets containing the broadcast address are discarded.

This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without having it negatively
impact switch performance.

Example

The following command activates this defense on port 17:

set dos smurf port=17 state=enable