6 security feature configuration, 1 security feature introduction, 2 security feature configuration – Accton Technology ES4626 User Manual

103

2.6 Security Feature Configuration

2.6.1 Security Feature Introduction

Before introducing the security features, we here first introduce the DoS. The DoS is

short for Denial of Service, which is a simple but effective destructive attack on the

internet. The server under DoS attack will drop normal user data packet due to non-stop

processing the attacker’s data packet, leading to the denial of the service and worse can

lead to leak of sensitive data of the server.

Security feature refers to applications such as protocol check which is for protecting

the server from attacks such as DoS. The protocol check allows the user to drop matched

packets based on specified conditions. The security features provide several simple and

effective protections against Dos attacks while acting no influence on the linear

forwarding performance of the switch.

2.6.2 Security Feature Configuration

2.6.2.1 Prevent IP Spoofing Function Configuration Task Sequence

1．Enable the IP spoofing function.

Command Explanation

Global Mode

dosattack-check srcip-equal-dstip

enable

Enable the function of checking if the IP

source address is the same as the

destination address

2.6.2.2 Prevent TCP Unauthorized Label Attack Function Configuration

Task Sequence

1．Enable the anti TCP unauthorized label attack function

2．Enable Checking IPv4 fragment function

Command Explanation

Global Mode

dosattack-check tcp-flags enable

Enable checking TCP label function

dosattack-check ipv4-first-fragment

enable

Enable checking IPv4 fragment. This

command has no effect when used

separately, but if this function is not enabled,

the switch will not drop the IPv4 fragment

packet containing unauthorized TCP labels