The Host DoS feature provides protection against all known DoS attack mitigation types.
Default Security Parameters lists the configurable Host DoS mitigation types.
Threat | Description | Action |
---|---|---|
Excessive Arp or ND | Reception of an excessive number of ARP or ND frames from a single host. | Frames are discarded. |
Bad SIP | Frames with a source IP address equal to multicast or broadcast. | Frames are discarded. |
Spoof | Frames with a source IP address that is same as this router‘s interface address. | Frames are discarded. |
Christmas Tree | Frames with an invalid TCP flag combination. | SYN+FIN and SYN+RST frames are discarded. |
Fragmented ICMP | ICMP packets are fragmented. | All ICMP fragmented packets are discarded. |
ICMP Flood | Excessive number of ICMP packets received. | Receipt of ICMP packets is limited to a user configurable limit of packets per second. |
Large ICMP | ICMP packets exceed the configured maximum ICMP size. | ICMP packets exceeding the configured maximum ICMP size are discarded. |
Multicast/Broadcast Source address | Packets with a Multicast or Broadcast source IP address. | Packets with a Multicast or Broadcast source IP address are discarded. |
LANd | Packets with the destination IP address equal to the source IP address. | Packets with the destination IP address equal to the source IP address are discarded. |
Smurf | A vulnerability due to ICMP directed broadcast packets. | ICMP directed broadcast packets are discarded. |
Fraggle Attack | A vulnerability due to UDP directed broadcast packets. | UDP directed broadcast packets are discarded. |
SYN Flood | Packets exceeding the maximum value and maximum establishment rate per source IP address or regardless of source. | Packets beyond established rates are discarded. |
Port Scan | Packets exceeding the maximum value and maximum establishment rate. | Packets beyond established rates are discarded. |
Tear Drop | A packet that contains a bad offset. | All packets containing a bad offset are discarded. |
Globally enable host DoS for this device using the hostdos enable command. Host DoS is globally enabled by default. Entering a command line for each threat, specify the mitigation-type, in the hostdos command in global configuration command mode, to enable the specific DoS attack type to be mitigated.
The ICMP maximum allowed length can be set using the hostdos command icmp-maxlength option.