beautypg.com

4 dosattack-check srcport-equal-dstport enable, 5 dosattack-check tcp-fragment enable, 6 dosattack-check tcp-segment – PLANET XGS3-24040 User Manual

Page 777: Dosattack, Check srcport, Equal, Dstport enable, Check tcp, Fragment enable, Segment

background image


45-2

are all 0 while its serial No. =0;FIN=1,URG=1,PSH=1 and the TCP serial No.=0;SYN=1 and FIN=1. This

function can be used associating the “dosattack-check ipv4-first-fragment enable” command.

Example: Drop one or more types of above four packet types.

Switch(config)# dosattack-check tcp-flags enable

45.4 dosattack-check srcport-equal-dstport enable

Command: dosattack-check srcport-equal-dstport enable

Function: Enable the function by which the switch will check if the source port is equal to the destination

port; the "no" form of this command disables this function.

Parameter: None

Default: Disable the function by which the switch will check if the source port is equal to the destination

port.

Command Mode: Global Mode

Usage Guide: With this function enabled, the switch will be able to drop TCP and UDP data packet

whose destination port is equal to the source port. This function can be used associating the

“dosattack-check ipv4-first-fragment enable” function so to block the IPv4 fragment TCP and UDP data

packet whose destination port is equal to the source port.

Example: Drop the non-fragment TCP and UDP data packet whose destination port is equal to the

source port.

Switch(config)# dosattack-check srcport-equal-dstport enable

45.5 dosattack-check tcp-fragment enable

Command: [no] dosattack-check tcp-fragment enable

Function: Enable the function by which the switch detects TCP fragment attacks; the “no” form of this

command disables this function.

Parameter: None

Default: This function is not enabled on the switch by default

Command Mode: Global Mode

Usage Guide: By enabling this function the switch will be protected from the TCP fragment attacks,

dropping the data packets whose TCP fragment offset value is 1 or the TCP head is shorter than the

specified value. Use “dosattack-check tcp-header” command to specify the length.

Example: Enable the Checking TCP fragment attack function.e

Switch(config)# dosattack-check tcp-fragment enable

45.6 dosattack-check tcp-segment

Command: dosattack-check tcp-segment <20-255>

Function: Configure the minimum TCP segment length permitted by the switch.

Parameter: <20-255> is the minimum TCP segment length permitted by the switch.

See also other documents in the category PLANET Routers: