Denial-of-Service Attack Prevention

Hsecure

The switch supports a configurable flag, called high secure (hsecure). High secure mode introduces a protection mechanism to filter certain IP addresses, and two restrictions on passwords: 10-character enforcement and aging time.

If the device starts in hsecure mode with default factory settings, and no previously configured password, the system will prompt you to change the password. The new password must follow the rules mandated by high secure mode. After you enable hsecure and restart the system, if you have an invalid-length password you must change the password.

If you enable hsecure for the first time and the password file does not exist, then the device creates a normal default user name (rwa) and password (rwa). In this case, the password does not meet the minimum requirements for hsecure and as a result the system prompts you to change the password.

The following information describes hsecure mode operations:

• When you enable the hsecure flag, after a certain duration you are asked to change your password. If not configured, the aging parameter defaults to 90 days.

• For SNMP and FTP, access is denied when a password expires. You must change the community strings to a new string made up of more than eight characters before accessing the system.

• You cannot enable the web server at any time.

• You cannot enable the SSH password-authentication feature at any time.

Hsecure is disabled by default. When you enable hsecure, the desired behavior applies to all ports.

For more information, see Prevent Certain Types of DOS Attacks.

Prioritization of Control Traffic

The switch uses a sophisticated prioritization scheme to schedule control packets on physical ports. This scheme involves two levels with both hardware and software queues to guarantee proper handling of control packets regardless of the switch load. In turn, this scheme guarantees the stability of the network. Prioritization also guarantees that applications that use many broadcasts are handled with lower priority.

You cannot view, configure, or modify control-traffic queues.

Directed Broadcast Suppression

You can enable or disable forwarding for directed broadcast traffic on an IP-interface basis. A directed broadcast is a frame sent to the subnet broadcast address on a remote IP subnet. By disabling or suppressing directed broadcasts on an interface, you cause all frames sent to the subnet broadcast address for a local router interface to be dropped. Directed broadcast suppression protects hosts from possible DoS attacks.

To prevent the flooding of other networks with DoS attacks, such as the Smurf attack, enable directed broadcast suppression. For more information, see Configure Directed Broadcast.

ARP Request Threshold

The Address Resolution Protocol (ARP) request threshold defines the maximum number of outstanding unresolved ARP requests. The default value for this function is 500 ARP requests. To avoid excessive amounts of subnet scanning that a virus can cause, as a best practice, change the ARP request threshold to a value between 100 and 50. This configuration protects the CPU from causing excessive ARP requests, protects the network, and lessens the spread of the virus to other PCs. The following list provides further ARP threshold values:

• Default: 500

• Severe conditions: 50

• Continuous scanning conditions: 100

• Moderate: 200

• Relaxed: 500

For more information about how to configure the ARP threshold, see Address Resolution Protocol.

Multicast Learning Limitation

The Multicast Learning Limitation feature protects the CPU from multicast data packet bursts generated by malicious applications. If more than a certain number of multicast streams enter the CPU through a port during a sampling interval, the port is shut down until the user or administrator takes the appropriate action.

For more information, see IP Multicast.