Use the Denial of Service (DoS) page to configure DoS control. 200 Series software provides support for classifying and blocking specific types of DoS attacks. You can configure your system to monitor and block these types of attacks:
To access this page, click
in the navigation menu.Field | Description |
---|---|
TCP Settings | |
First Fragment | Enable this option to allow the device to drop packets that have a TCP header smaller than the value configured in the Min TCP Hdr Size field. |
TCP Port | Enable this option to allow the device to drop packets that have the TCP source port equal to the TCP destination port. |
UDP Port | Enable this option to allow the device to drop packets that have the UDP source port equal to the UDP destination port. |
SIP=DIP | Enable this option to allow the device to drop packets that have a source IP address equal to the destination IP address. |
SMAC=DMAC | Enable this option to allow the device to drop packets that have a source MAC address equal to the destination MAC address. |
TCP FIN and URG and PSH | Enable this option to allow the device to drop packets that have TCP Flags FIN, URG, and PSH set and a TCP Sequence Number equal to 0. |
TCP Flag and Sequence | Enable this option to allow the device to drop packets that have TCP control flags set to 0 and the TCP sequence number set to 0. |
TCP SYN | Enable this option to allow the device to drop packets that have TCP Flags SYN set. |
TCP SYN and FIN | Enable this option to allow the device to drop packets that have TCP Flags SYN and FIN set. |
TCP Fragment | Enable this option to allow the device to drop packets that have a TCP payload where the IP payload length minus the IP header size is less than the minimum allowed TCP header size. |
TCP Offset | Enable this option to allow the device to drop packets that have a TCP header Offset set to 1. |
Port D-Disable | Enable this option to allow the system to diagnostically disable an interface if a potential DoS attack has been detected on that interface. If an interface is diagnostically disabled, it remains in the disabled state until an administrator manually enables the interface. |
Min TCP Hdr Size | The minimum TCP header size allowed. If First Fragment DoS prevention is enabled, the device will drop packets that have a TCP header smaller than this configured value. |
ICMP Settings: These options help prevent the device and the network from attacks that involve issues with the ICMP echo request packets (pings) that the device receives. | |
ICMP | Enable this option to allow the device to drop ICMP packets that have a type set to ECHO_REQ (ping) and a payload size greater than the ICMP payload size configured in the Max ICMPv4 Size or Max ICMPv6 Size fields. |
ICMP Fragment | Enable this option to allow the device to drop fragmented ICMP packets. |
Max ICMPv4 Size | The maximum allowed ICMPv4 packet size. If ICMP DoS prevention is enabled, the device will drop ICMPv4 ping packets that have a size greater then this configured maximum ICMPv4 packet size. |
Max ICMPv6 Size | The maximum allowed IPv6 ICMP packet size. If ICMP DoS prevention is enabled, the switch will drop IPv6 ICMP ping packets that have a size greater than this configured maximum ICMPv6 packet size. |
If you change any of the parameters, click Submit to apply the changes to the system. If you want the switch to retain the new values across a power cycle, you must save the configuration.