Operation Manual

ManualsBrandsTP-LINK ManualsComputersT1700X-16TS

591

592

593

594

595

596

597

598

599

600

Configuration Guide 568

Configuring Network Security DoS Defend Configuration

Step 3 ip dos-prevent type { land | scan-synfin | xma-scan | null-scan | port-less-1024 | blat | ping-

flood | syn-flood | win-nuke }

Configure one or more defend types according to your needs. The types of DoS attack are

introduced as follows.

land:

The attacker sends a specic fake SYN (synchronous) packet to the destination host.

Because both the source IP address and the destination IP address of the SYN packet are

set to be the IP address of the host, the host will be trapped in an endless circle of building

the initial connection.

scan-synfin:

The attacker sends the packet with its SYN field and the FIN field set to 1.

The SYN eld is used to request initial connection whereas the FIN eld is used to request

disconnection. Therefore, a packet of this type is illegal.

xma-scan:

The attacker sends the illegal packet with its TCP index, FIN, URG and PSH eld

set to 1.

null-scan:

The attacker sends the illegal packet with its TCP index and all the control elds

set to 0. During the TCP connection and data transmission, the packets with all the control

elds set to 0 are considered as the illegal packets.

port-less-1024:

The attacker sends the illegal packet with its TCP SYN field set to 1 and

source port smaller than 1024.

blat:

The attacker sends the illegal packet with the same source port and destination port on

Layer 4 and with its URG eld set to 1. Similar to the Land Attack, the system performance

of the attacked host is reduced because the Host circularly attempts to build a connection

with the attacker.

ping-flood:

The attacker floods the destination system with Ping packets, creating a

broadcast storm that makes it impossible for system to respond to legal communication.

syn-flood:

The attacker uses a fake IP address to send TCP request packets to the server.

Upon receiving the request packets, the server responds with SYN-ACK packets. Since the

IP address is fake, no response will be returned. The server will keep on sending SYN-ACK

packets. If the attacker sends overowing fake request packets, the network resource will

be occupied maliciously and the requests of the legal clients will be denied.

win-nuke:

An Operation System with bugs cannot process the URG (Urgent Pointer) of TCP

packets. If the attacker sends TCP packets to port139 (NetBIOS) of the host with Operation

System bugs, it will cause blue screen.

Step 4 show ip dos-prevent

Verify the Dos Defend configuration.

Step 5 end

Return to privileged EXEC mode.

Step 6 copy running-config startup-config

Save the settings in the configuration file.

The following example shows how to enable the DoS Defend type named land:

Switch#configure