4 dos-control tcpflag, 5 dos-control l4port, 6 dos-control icmp – Kontron AT8902 Full Size CLI User Manual
Page 109
AT8901/2/3
Page 2 - 75
AT8901/2/3 CLI Reference Manual
2.18.4
dos-control tcpflag
This command enables TCP Flag Denial of Service protections. If the mode is enabled,
Denial of Service prevention is active for this type of attacks. If packets ingress having
TCP Flag SYN set and a source port less than 1024 or having TCP Control Flags set to
0 and TCP Sequence Number set to 0 or having TCP Flags FIN, URG, and PSH set and
TCP Sequence Number set to 0 or having TCP Flags SYN and FIN both set, the
packets will be dropped if the mode is enabled.
Default
disabled
Format
dos-control tcpflag
Mode
Global Config
2.18.4.1
no dos-control tcpflag
This command sets disables TCP Flag Denial of Service protections.
Format
no dos-control tcpflag
Mode
Global Config
2.18.5
dos-control l4port
This command enables L4 Port Denial of Service protections. If the mode is enabled,
Denial of Service prevention is active for this type of attack. If packets ingress having
Source TCP/UDP Port Number equal to Destination TCP/UDP Port Number, the
packets will be dropped if the mode is enabled.
NOTE: Some applications mirror source and destination L4 ports - RIP for
example uses 520 for both. If you enable dos-control l4port, applica-
tions such as RIP may experience packet loss which would render the
application inoperable.
Default
disabled
Format
dos-control l4port
Mode
Global Config
2.18.5.1
no dos-control l4port
This command disables L4 Port Denial of Service protections.
Format
no dos-control l4port
Mode
Global Config
2.18.6
dos-control icmp
This command enables Maximum ICMP Packet Size Denial of Service protections. If
the mode is enabled, Denial of Service prevention is active for this type of attack. If
ICMP Echo Request (PING) packets ingress having a size greater than the configured
value, the packets will be dropped if the mode is enabled.
Default
disabled <512>
Format
dos-control icmp <0-1023>