User Manual
363
Users Manual of XGS-6350-24X4C
service address). The SYN message causes the server to send the SYN-ACK message to the sever itself,
hence this address also sends the ACK message and creates a null link. Each of this kinds of links will keep
until the timeout time, so the server will break down. Landattack can be classified into IPland and MACland.
41.1.2 DoS Attack Prevention Configuration Task List
As to global DoS attack prevention configuration, you configure related sub-functions and then the switch
drops corresponding DoS attack packets. Hence, the bandwidth of the switch is guaranteed not to be used
up.
DoS attack prevention configuration tasks are shown below:
Configuring Global DoS Attack Prevention
Displaying All DoS Attack Prevention Configuration
41.1.3 DoS Attack Prevention Configuration Tasks
41.1.3.1 Configuring Global DoS Attack Prevention
Configuring global DoS attack prevention means configuring DoS attack prevention sub-functions in global
mode and each sub-function can prevent a different type of DoS attack packets. The DoS IP sub-function can
prevent the LAND attacks, while the DoS ICMP sub-function can prevent Ping of Death. You can set the
corresponding sub-function according to actual requirements.
Configure the DoS attack prevention function in EXEC mode.
Command Purpose
config
Enters the global configuration mode.
[no] dos enable {all | icmp
icmp-value | ip | ipv4firstfrag |
l4port | mac | tcpflags | tcpfrag
tcpfrag-value}
Configures all to prevent all types of DoS attack packets.
Configures icmp to prevent the ICMP packets, among which
the icmp-value means the maximum length of the ICMP
packet.
Configures ip to prevent those IP packets whose source IPs
are the same as the destination IPs.
Configures ipv4firstfrag to check the first fragment of the IP
packet.
Configures l4port to prevent those TCP/UDP packets whose
source port IDs are destination port IDs.
Configures mac to prevent those packets whose source MACs
are destination MACs.
Configures tcpflags to prevent those TCP packets containing
illegal TCP flags.
Configures tcpfrag to prevent those TCP packets whose
minimum TCP header is tcpfrag-value.
exit
Goes back to the EXEC mode.