hostdos

Use this command to configure Host DoS on this device.

Syntax

hostdos {mitigation-type | enable | icmp-maxlength icmp-maxlength} [rate count [per-second | per-minute | per-hour | per-day]] [nolog]

no hostdos [mitigation-type] [enable | disable]

Parameters

`mitigation-type`	Specifies an attack type to be mitigated. Valid values are: arpNd – Excessive ARP or ND packets from a single host spoof – Source interface is not this router interface xmasTree – Inappropriate TCP flags icmpFrag – ICMP with fragments specified icmpFlood – ICMP rate icmpSize – ICMP packet size [maxlength maxlength] – Maximum ICMP frame size
	badSip – SIP equals multicast or broadcast lanD – DIP equals SIP smurf – ICMP echo to directed broadcast fraggle – UDP echo to directed broadcast synFlood – SYN rate portScan – Detect TCP/UDP Port Probes tearDrop - Detect invalid overlapping IP fragments
enable	Globally enables Host DoS on this device. Default: enabled.
icmp-maxlength `icmp-maxlength`	Sets the max length for icmp packets. Default: 1024
rate `count` per-second \| per-minute \| per-hour \| per-day	(Optional) Specifies the rate at which events will be acted upon (such as the frame being discarded). count specifies the number of events allowed per specified time period. Host DoS will act upon any events in excess of the count for the specified time period. Valid values: 0-4294967294. Default: 0. Default rate interval: per-second.
nolog	(Optional) Specifies that logging should be disabled for the specified threat.

Defaults

If an event rate is not specified, all events are acted upon.
If the ICMP maxlength is not set, the ICMP maxlength is set to 1024.

Mode

Configuration command, Global configuration.

Usage

A rate count of 0 indicates that all frames that match the enabled threat will be discarded.

The icmp-maxlength sets the ICMP maximum frame size. Default value: 1024.

Host DoS must be enabled globally for any enabled threat to be mitigated. Threats are enabled separately.

Logging for all threats is enabled by default. A threat is logged each time it is acted upon (frame is discarded). Use the nolog option to disable logging for the specified threat. To re-enable logging for a specific mitigation type, use the no hostdos mitigation-type command to reset the mitigation type to its default values which includes logging enabled. You must then re-enable the threat if you wish to resume monitoring that threat.

Example

This example shows how to:

Globally enables Host Dos on this device
Enable the checkSpoof mitigation type, with a rate of 5 per-minute

Enable the XmasTree mitigation type and disable logging for this threat

System(rw-config)->hostdos enable
System(rw-config)->hostDoS spoof rate 5 per-minute
System(rw-config)->hostdos xmasTree nolog
System(rw-config)->show hostDoS
hostDoS is globally enabled
 badSIP     is disabled, logging is enabled, rate is   0 per-second
 fraggle    is disabled, logging is enabled, rate is   0 per-second
 icmpFlood  is disabled, logging is enabled, rate is   0 per-second
 icmpFrag   is disabled, logging is enabled, rate is   0 per-second
 icmpSize   is disabled, logging is enabled, rate is   0 per-second
 icmpSize   max-length is 1024
 lanD       is disabled, logging is enabled, rate is   0 per-second
 portScan   is disabled, logging is enabled, rate is   0 per-second
 smurf      is disabled, logging is enabled, rate is   0 per-second
 spoof      is enabled, logging is enabled, rate is   5 per-minute
 synFlood   is disabled, logging is enabled, rate is   0 per-second
 xmasTree   is enabled, logging is disabled, rate is   0 per-second
System(rw-config)->

Published May 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback