Manual
Table Of Contents
- Table of Contents
- List of Figures
- Preface
- Chapter 1
- Overview
- Section I
- Basic Operations
- Chapter 2
- Starting a Local or Telnet Management Session
- Chapter 3
- Enhanced Stacking
- Chapter 4
- Basic Switch Parameters
- When Does a Switch Need an IP Address?
- Configuring an IP Address and Switch Name
- Activating the BOOTP and DHCP Client Software
- Rebooting a Switch
- Configuring the Manager and Operator Passwords
- Setting the System Time
- Configuring the Console Startup Mode
- Configuring the Console Timer
- Enabling or Disabling the Telnet Server
- Setting the Baud Rate of the RS-232 Terminal Port
- Pinging a Remote System
- Returning the AT-S62 Software to the Factory Default Values
- Viewing System Hardware and Software Information
- Setting the Switch’s Temperature Threshold
- Chapter 5
- SNMPv1 and SNMPv2c Configuration
- Chapter 6
- Port Parameters
- Chapter 7
- MAC Address Table
- Chapter 8
- Port Trunking
- Chapter 9
- Port Mirroring
- Chapter 10
- Ethernet Statistics
- Section II
- Advanced Operations
- Chapter 11
- File System
- Chapter 12
- File Downloads and Uploads
- Chapter 13
- Event Log
- Chapter 14
- Quality of Service
- Chapter 15
- IGMP Snooping
- Chapter 16
- Denial of Service Defense
- Section III
- SNMPv3 Operations
- Chapter 17
- SNMPv3 Configuration
- SNMPv3 Overview
- Configuring the SNMPv3 Protocol
- Configuring the SNMPv3 User Table
- Configuring the SNMPv3 View Table
- Configuring the SNMPv3 Access Table
- Configuring the SNMPv3 SecurityToGroup Table
- Configuring the SNMPv3 Notify Table
- Configuring the SNMPv3 Target Address Table
- Configuring the SNMPv3 Target Parameters Table
- Configuring the SNMPv3 Community Table
- Displaying SNMPv3 Table Menus
- Displaying the Display SNMPv3 User Table Menu
- Displaying the Display SNMPv3 View Table Menu
- Displaying the Display SNMPv3 Access Table Menu
- Displaying the Display SNMPv3 SecurityToGroup Table Menu
- Displaying the Display SNMPv3 Notify Table Menu
- Displaying the Display SNMPv3 Target Address Table Menu
- Displaying the Display SNMPv3 Target Parameters Table Menu
- Displaying the Display SNMPv3 Community Table Menu
- Section IV
- Spanning Tree Protocols
- Chapter 18
- Spanning Tree and Rapid Spanning Tree Protocols
- Chapter 19
- Multiple Spanning Tree Protocol
- Section V
- Virtual LANs
- Chapter 20
- Tagged and Port-based Virtual LANs
- VLAN Overview
- Port-based VLAN Overview
- Tagged VLAN Overview
- Creating a Port-based or Tagged VLAN
- Example of Creating a Port-based VLAN
- Example of Creating a Tagged VLAN
- Modifying a VLAN
- Displaying VLANs
- Deleting a VLAN
- Deleting All VLANs
- Displaying PVIDs and Port Priorities
- Enabling or Disabling Ingress Filtering
- Specifying a Management VLAN
- Chapter 21
- GARP VLAN Registration Protocol
- Chapter 22
- Multiple VLAN Modes
- Section VI
- Port Security
- Section VII
- Management Security
- Chapter 25
- Web Server
- Chapter 26
- Encryption Keys
- Chapter 27
- Public Key Infrastructure Certificates
- Chapter 28
- Secure Shell (SSH) Protocol
- Chapter 29
- RADIUS and TACACS+ Authentication Protocols
- Chapter 30
- Management Access Control List
- Section VIII
- Web Browser Management
- Chapter 31
- Starting a Web Browser Management Session
- Chapter 32
- Enhanced Stacking
- Chapter 33
- Basic Switch Parameters
- Chapter 34
- SNMPv1 and SNMPv2c Community Strings
- Chapter 35
- Port Parameters
- Chapter 36
- MAC Address Table
- Chapter 37
- Port Trunking
- Chapter 38
- Port Mirroring
- Chapter 39
- File Downloads and Uploads
- Chapter 40
- Event Log
- Chapter 41
- Quality of Service
- Chapter 42
- IGMP Snooping
- Chapter 43
- Denial of Service Defense
- Chapter 44
- SNMPv3 Protocol
- Configuring the SNMPv3 Protocol
- Enabling the SNMP Protocol
- Configuring the SNMPv3 User Table
- Configuring the SNMPv3 View Table
- Configuring the SNMPv3 Access Table
- Configuring the SNMPv3 SecurityToGroup Table
- Configuring the SNMPv3 Notify Table
- Configuring the SNMPv3 Target Address Table
- Configuring the SNMPv3 Target Parameters Table
- Configuring the SNMPv3 Community Table
- Displaying SNMPv3 Tables
- Chapter 45
- STP, RSTP, and MSTP
- Chapter 46
- Virtual LANs
- Chapter 47
- GARP VLAN Registration Protocol
- Chapter 48
- MAC Address Security
- Chapter 49
- 802.1x Port-based Access Control
- Chapter 50
- Secure Shell Protocol
- Chapter 51
- Encryption Keys, PKI, and SSL
- Chapter 52
- RADIUS and TACACS+ Authentication Protocols
- Chapter 53
- Management Access Control List
- Appendix A
- AT-S62 Default Settings
- Basic Switch Default Settings
- Enhanced Stacking Default Setting
- SNMP Default Settings
- Port Configuration Default Settings
- Event Log Default Settings
- Quality of Service
- IGMP Snooping Default Settings
- Denial of Service Prevention Default Settings
- STP, RSTP, and MSTP Default Settings
- VLAN Default Settings
- GVRP Default Settings
- MAC Address Security Default Settings
- 802.1x Port-Based Network Access Control Default Settings
- Web Server Default Settings
- SSL Default Settings
- PKI Default Settings
- SSH Default Settings
- Server-Based Authentication Default Settings
- Management Access Control List Default Setting
- AT-S62 Default Settings
- Appendix B
- Index

Chapter 16: Denial of Service Defense
Section II: Advanced Operations 216
If one is found, the following occurs:
❑ The switch sends a SNMP trap to the management workstations.
❑ The switch port discards the fragment with the invalid offset and,
for a one minute period, discards all ingress fragmented IP traffic.
Because the CPU only samples the ingress IP traffic, this defense
mechanism may catch some, though not necessarily, all of this form of
attack.
Caution
This defense is extremely CPU intensive; use with caution.
Unrestricted use can cause a switch to halt operations should the
CPU become overwhelmed with IP traffic. To prevent this, Allied
Telesyn recommends activating this defense on only one switch
port at a time.
Ping of Death
Attack
The attacker sends an oversized, fragmented ICMP Echo (Ping) request
(greater than 65,535 bits) to the victim, which, if lacking a policy for
handling oversized packets, may freeze.
To defend against this form of attack, a switch port searches for the last
fragment of a fragmented ICMP Echo (Ping) request and examines its
offset to determine if the packet size is greater than 63,488 bits. If it is,
the fragment is forwarded to the switch’s CPU for final packet size
determination. If the switch determines that the packet is oversized, the
following occurs:
❑ The switch sends a SNMP trap to the management workstations.
❑ The switch port discards the fragment and, for one minute,
discards all fragmented ingress ICMP Echo (Ping) requests.
Note
This defense mechanism requires some involvement by the switch’s
CPU, though not as much as the Teardrop defense. This will not
impact the forwarding of traffic between the switch ports, but it can
affect the handling of CPU events, such as the processing of IGMP
packets and spanning tree BPDUs. For this reason, Allied Telesyn
recommends limiting the use of this defense, activating it only on
those ports where an attack is most likely to originate.
Also note that an attacker can circumvent the defense by sending a
stream of ICMP Echo (Ping) requests with a size of 63,488 to 65,534 bits.
A large number of requests could overwhelm the switch’s CPU.