Set dos ipoption – Allied Telesis AT-S62 User Manual

AT-S62 Command Line User’s Guide

239

SET DOS IPOPTION

Syntax

set dos ipoption port=port state=enable|disable
[mirrorport=port]

Parameters

port

Specifies the switch port on which you want to enable

or disable the IP Option defense. You can specify more
than one port at a time.

state

Specifies the state of the IP Option defense. The

options are:

enable

Activates the defense.

disable

Deactivates the defense. This is the default.

mirrorport

Specifies a port where invalid traffic is copied. You can

specify only one port.

Description

This command enables and disables the IP Options DoS defense.

This type of attack occurs when an attacker sends packets containing
bad IP options to a victim node. There are many different types of IP
options attacks and the AT-S62 management software does not try to
distinguish between them. Rather, a switch port where this defense is
activated counts the number of ingress IP packets containing IP options.
If the number exceeds 20 packets per second, the switch considers this a
possible IP options attack and does the following occurs:

❑ It sends a trap to the management workstations.

❑ The switch port discards all ingress packets containing IP options

for a one minute period.

This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without it impacting switch
performance.

Examples

The following command activates the IP Options defense on ports 5, 7,
and 10:

set dos ipoption port=5,7,10 state=enable