Denial of Service Protection
A Denial-of-Service (DoS) attack occurs when a critical network or computing resource is overwhelmed and rendered inoperative in a way that legitimate requests for service cannot succeed.
In its simplest form, a DoS attack is indistinguishable from normal heavy traffic. There are some operations in any switch or router that are more costly than others, and although normal traffic is not a problem, exception traffic must be handled by the switch‘s CPU in software.
NoteDoS protection is not supported for IPv6.
- Traffic resulting from new MAC
NoteWhen certain features such as Network Login are enabled, hardware learning is disabled to let software control new MAC learning.
- Routing and control protocols including ICMP, BGP, OSPF, STP, EAPS, ESRP, etc.
- Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, etc.)
- Other packets directed to the switch that must be discarded by the CPU
If any one of these functions is overwhelmed, the CPU may be too busy to service other functions and switch performance will suffer. Even with very fast CPUs, there will always be ways to overwhelm the CPU with packets that require costly processing.
DoS Protection is designed to help prevent this degraded performance by attempting to characterize the problem and filter out the offending traffic so that other functions can continue. When a flood of CPU bound packets reach the switch, DoS Protection will count these packets. When the packet count nears the alert threshold, packets headers are saved. If the threshold is reached, then these headers are analyzed, and a hardware ACL is created to limit the flow of these packets to the CPU. This ACL will remain in place to provide relief to the CPU. Periodically, the ACL will expire, and if the attack is still occurring, it will be re-enabled. With the ACL in place, the CPU will have the cycles to process legitimate traffic and continue other services.
NoteUser-created ACLs take precedence over the automatically applied DoS protect ACLs.
DoS Protection sends a notification when the notify threshold is reached.
You can also specify some ports as trusted ports, so that DoS protection is not applied to those ports.