Users Guide
Security Commands 1141
– TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0
and
– TCP Sequence Number = 0 or TCP Flags FIN, URG, and PSH set
and
– TCP Sequence Number = 0 or TCP Flags SYN and FIN set.
• TCP Offset:
– Checks for TCP header offset =1.
• TCP SYN:
– TCP Flag SYN set.
• TCP SYN & FIN:
– TCP Flags SYN and FIN set.
• TCP FIN & URG & PSH:
– TCP Flags FIN and URG and PSH set and TCP Sequence Number =
0.
• ICMP V6:
– Limiting the size of ICMPv6 Ping packets.
• ICMP Fragment:
– Checks for fragmented ICMP packets.
dos-control firstfrag
Use the dos-control firstfrag command in Global Configuration mode to
enable Minimum TCP Header Size Denial of Service protection. If the mode
is enabled, Denial of Service prevention is active for this type of attack. If
packets ingress having a TCP Header Size smaller than the configured value,
the packets are dropped.
Syntax
dos-control firstfrag [size]
no dos-control firstfrag
• size —TCP header size. (Range: 0-255). The default TCP header size is 20.
ICMP packet size is 512.