1 dos-control all, 1 no dos-control all, 2 dos-control sipdip – Kontron AT8404 CLI User Manual

AT8404

Switching Commands

Page 2 - 127

AT8404 CLI Reference Manual

•

First Fragment:TCP Header size smaller then configured value.

•

TCP Fragment: IP Fragment Offset = 1.

•

TCP Flag: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and TCP Sequence Number =
0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set.

•

L4 Port: Source TCP/UDP Port = Destination TCP/UDP Port.

•

ICMP: Limiting the size of ICMP Ping packets.

2.25.1

dos-control all

This command enables Denial of Service protection checks globally.

2.25.1.1

no dos-control all

This command disables Denial of Service prevention checks globally.

2.25.2

dos-control sipdip

This command enables Source IP address = Destination IP address (SIP=DIP) Denial of Service protection. If the
mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with SIP=DIP, the
packets will be dropped if the mode is enabled.

2.25.2.1

no dos-control sipdip

This command disables Source IP address = Destination IP address (SIP=DIP) Denial of Service prevention.

2.25.3

dos-control firstfrag

This command enables Minimum TCP Header Size Denial of Service protection. If the mode is enabled, Denial of
Service prevention is active for this type of attack. If packets ingress having a TCP Header Size smaller then the
configured value, the packets will be dropped if the mode is enabled.The default is disabled. If you enable dos-
control firstfrag, but do not provide a Minimum TCP Header Size, the system sets that value to 20.

Default

disabled

Format

dos-control all

Mode

Global Config

Format

no dos-control all

Mode

Global Config

Default

disabled

Format

dos-control sipdip

Mode

Global Config

Format

no dos-control sipdip

Mode

Global Config

Default

disabled <20>

Format

dos-control firstfrag

[<0-255>]

Mode

Global Config