Reference Guide

Table Of Contents

Denial of Service Commands

Note

Denial of Service (DataPlane) is supported on XGS-III and later platforms only.

This section describes the commands used to conﬁgure Denial of Service (DoS) Control. 200 Series

software provides support for classifying and blocking speciﬁc types of Denial of Service attacks. You

can conﬁgure your system to monitor and block these types of attacks:

SIP = DIP Source IP address = Destination IP address

First Fragment TCP Header size smaller than conﬁgured value

TCP Fragment Allows the device to drop packets that have a TCP payload where the IP payload length minus the

IP header size is less than the minimum allowed TCP header size

TCP Flag TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and TCP Sequence Number = 0

or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set

L4 Port Source TCP/UDP Port = Destination TCP/UDP Port

ICMP Limiting the size of ICMP (Internet Control Message Protocol) Ping packets

dos-control all

This command enables Denial of Service protection checks globally.

Default

Disabled

Format dos-control all

Mode Global Conﬁg

no dos-control all

This command disables Denial of Service prevention checks globally.

Format

no dos-control all

Mode Global Conﬁg

dos-control sipdip

This command enables Source IP address = Destination IP address (SIP = DIP) Denial of Service

protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If

packets ingress with SIP = DIP, the packets will be dropped if the mode is enabled.

Default

Disabled

Format dos-control sipdip

Mode Global Conﬁg

Switching Commands

ExtremeSwitching 200 Series: Command Reference Guide for version 01 .02.04.0007 474