User's Manual
365
Land Attack
The attacker makes a special SYN message (the source address and the destination address are
the same service address). The SYN message causes the server to send the SYN-ACK message
to the sever itself, hence this address also sends the ACK message and creates a null link. Each
of this kinds of links will keep until the timeout time, so the server will break down. Landattack can
be classified into IPland and MACland.
47.3 DoS Attack Prevention Configuration Task List
As to global DoS attack prevention configuration, you configure related sub-functions and then the switch drops
corresponding DoS attack packets. Hence, the bandwidth of the switch is guaranteed not to be used up.
DoS attack prevention configuration tasks are shown below:
Configuring Global DoS Attack Prevention
Displaying All DoS Attack Prevention Configuration
47.4 DoS Attack Prevention Configuration Tasks
47.4.1 Configuring Global DoS Attack Prevention
Configuring global DoS attack prevention means configuring DoS attack prevention sub-functions in global
mode and each sub-function can prevent a different type of DoS attack packets. The DoS IP sub-function can
prevent the LAND attacks, while the DoS ICMP sub-function can prevent Ping of Death. You can set the
corresponding sub-function according to actual requirements.
Configure the DoS attack prevention function in EXEC mode.
Command Purpose
config
Enters the global configuration mode.
[
no
]
dos enable {all | icmp icmp-value | ip |
ipv4firstfrag | l4port | mac | tcpflags |
tcpfrag tcpfrag-value}
Configures
all
to prevent all types of DoS
attack packets.
Configures
icmp
to prevent the ICMP packets,
among which the
icmp-value
means the maximum
length of the ICMP packet.
Configures
ip
to prevent those IP packets whose
source IPs are the same as the destination IPs.
Configures
ipv4firstfrag
to check the first fragment
of the IP packet.
Configures
l4port
to prevent those TCP/UDP
packets whose source port IDs are destination port
IDs.