User Manual
AT8402 Switching Commands
Page 2 - 75 AT8402 CLI Reference Manual
Service attacks. You can configure your system to monitor and block six types of
attacks:
• SIP=DIP: Source IP address = Destination IP address.
• First Fragment: TCP Header size smaller then configured value.
• TCP Fragment: IP Fragment Offset = 1.
• TCP Flag: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0
and TCP Sequence Number = 0 or TCP Flags FIN, URG, and PSH set and TCP
Sequence Number = 0 or TCP Flags SYN and FIN set.
• L4 Port: Source TCP/UDP Port = Destination TCP/UDP Port.
• ICMP: Limiting the size of ICMP Ping packets.
2.18.1 dos-control sipdip
This command enables Source IP address = Destination IP address (SIP=DIP) Denial
of Service protection. If the mode is enabled, Denial of Service prevention is active for
this type of attack. If packets ingress with SIP=DIP, the packets will be dropped if the
mode is enabled.
Default disabled
Format
dos-control sipdip
Mode Global Config
2.18.1.1 no dos-control sipdip
This command disables Source IP address = Destination IP address (SIP=DIP) Denial
of Service prevention.
Format
no dos-control sipdip
Mode Global Config
2.18.2 dos-control firstfrag
This command enables Minimum TCP Header Size Denial of Service protection. If the
mode is enabled, Denial of Service prevention is active for this type of attack. If
packets ingress having a TCP Header Size smaller then the configured value, the
packets will be dropped if the mode is enabled.The default is
disabled. If you enable
dos-control firstfrag, but do not provide a Minimum TCP Header Size, the system sets
that value to
20.
Default disabled <20>
Format
dos-control firstfrag [<0-255>]
Mode Global Config
2.18.2.1 no dos-control firstfrag
This command sets Minimum TCP Header Size Denial of Service protection to the
default value of
disabled.
Format
no dos-control firstfrag
Mode Global Config