Protocol Anomaly Protection
The Extreme chipsets contain built-in hardware protocol checkers that support port
security features for security applications, such as stateless DoS protection.
The protocol checkers allow users to drop the packets
based on the following conditions, which are checked for ingress
packets prior to the L2/L3 entry table:
- SIP = DIP for IPv4/IPv6 packets.
- TCP_SYN Flag = 0 for Ipv4/Ipv6 packets
- TCP Packets with control flags = 0 and sequence number = 0
for Ipv4/Ipv6 packets
- TCP Packets with FIN, URG & PSH bits set & seq.
number = 0 for Ipv4/Ipv6 packets
- TCP Packets with SYN & FIN bits are set for Ipv4/Ipv6
packets
- TCP Source Port number = TCP Destination Port number for
Ipv4/Ipv6 packets
- First TCP fragment does not have the full TCP header (less
than 20 bytes) for Ipv4/Ipv6 packets
- TCP header has fragment offset value as 1 for Ipv4/Ipv6
packets
- UDP Source Port number = UDP Destination Port number for
Ipv4/Ipv6 packets
- CMP ping packets payload is larger than programmed value of
ICMP max size for Ipv4/Ipv6 packets
- Fragmented ICMP packets for Ipv4/Ipv6 packets
The protocol anomaly detection security functionality is supported by a
set of anomaly-protection enable, disable, configure, clear, and show CLI commands. For
further details, see the ExtremeXOS Command Reference Guide.