Home » D-Link Manuals » Hubs & Switches » D-Link DXS-3600-EM-8T » Manual Viewer

D-Link DXS-3600-EM-8T CLI Guide - Page 238

DoS Attack Prevention Commands - stack

Get D-Link DXS-3600-EM-8T PDF manuals and user guides

View all D-Link DXS-3600-EM-8T manuals

Add to My Manuals
Save this manual to your list of manuals

Page 238 highlights

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide DoS Attack Prevention Commands 18-1 defense This command is used to defend DoS attacks. Use the no form of the command to disable the defense attack defense [land | blat | null-scan | xmascan | tcp-synfin | port-less-1024 | ping-death | tiny-frag] enable no defense [land | blat | null-scan | xmascan | tcp-synfin | port-less-1024 | ping-death | tiny-frag] enable Parameters land blat null-scan xmascan tcp-synfin port-less-1024 ping-death tiny-frag Enable the defense land attack function. Enable the defense blat attack function. Enable the defense null scan attack function. Enable the defense xmas scan attack function. Enable the defense tcp with synfin attack function. Enable the defense source port less 1024 attack function. Enable the defense ping of death attack function. Enable the defense tcp tiny fragment attack function. Default Command Mode Command Default Level Usage Guideline Defense land, blat, null-scan, xmascan, tcp-synfin, port-less-1024, ping-death, tinyfrag disabled. Global Configuration Mode. Level: 15. Defense DoS attack types are listed as bellow: Land attack A Land attack is a DoS attack that consists of sending a special poison spoofed packet to a computer, causing it to lock up. A Land attack involves IP packets where the source and destination address are set to address the same device. The reason a Land attack works is because it causes the machine to reply to itself continuously. Detect method - Check whether the source address is equal to destination address of a received IP packet. Blat attack A DoS attack in which the TCP/IP stack is flooded with SYN packets that have spoofed source port number that match the destination port number causes the machine to lock up. Detect method - Check whether the source port is equal to destination port of a received TCP packet. Null Scan Hackers use the TCP NULL scan to identify listening TCP ports. This scan also uses a series of strangely configured TCP packets, which contain no flags. Again, this type of scan can get through some firewalls and boundary routers that filter on incoming TCP packets with standard flag settings. If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP NULL scan, sending no reply. Detect method - Check whether a received TCP packet contains a sequence number of 0 and no flags. 230

Section	Page
Basic CLI Commands	9
1-1 help	9
1-2 prompt	10
1-3 banner login	10
1-4 exit	12
1-5 end	12
802.1X Commands	14
2-1 dot1x default	14
2-2 dot1x port-control	14
2-3 dot1x pae authenticator	15
2-4 dot1x control-direction	15
2-5 dot1x timeout	16
2-6 dot1x max-req	17
2-7 dot1x reauthentication	17
2-8 dot1x re-authenticate	18
2-9 dot1x initialize	18
2-10 dot1x system-auth-control	19
2-11 dot1x system-max-user	19
2-12 dot1x port-max-user	20
2-13 dot1x system-fwd-pdu	20
2-14 dot1x port-fwd-pdu	21
2-15 show dot1x	21
Access Control List (ACL) Commands	25
3-1 ip access-list standard	25
3-2 permit \| deny (ip standard access-list)	25
3-3 ip access-list extended	26
3-4 permit \| deny (ip extended access-list)	27
3-5 ipv6 access-list	29
3-6 permit \| deny (ipv6 access-list)	29
3-7 mac access-list	31
3-8 permit \| deny (mac access-list)	32
3-9 expert access-list	33
3-10 permit \| deny (expert access-list)	34
3-11 ip access-list resequence	36
3-12 list-remark text	37
3-13 show access-lists	37
3-14 ip access-group	38
3-15 ipv6 traffic-filter	39
3-16 mac access-group	40
3-17 expert access-group	40
3-18 show access-group	41
3-19 show ip access-group	42
3-20 show ipv6 access-group	42
3-21 show mac access-group	43
3-22 show expert access-group	43
3-23 vlan access-map	44
3-24 match ip / mac address	44
3-25 action	45
3-26 vlan filter	46
3-27 show vlan access-map	46
3-28 show vlan filter	47
Address Resolution Protocol (ARP) Commands	48
4-1 arp	48
4-2 arp timeout	48
4-3 clear arp cache	49
4-4 show arp	50
4-5 show arp counter	52
4-6 show arp timeout	52
4-7 show ip arp	53
Alternate Store and Forward (ASF) Commands	54
5-1 enable asf	54
5-2 no asf	54
5-3 show asf	54
Authentication, Authorization, and Accounting (AAA) Commands	56
6-1 aaa	56
6-2 aaa authentication login	56
6-3 aaa authentication enable	57
6-4 login authentication	58
6-5 aaa authorization exec	58
6-6 aaa authorization console	59
6-7 authorization exec	60
6-8 aaa accounting exec	60
6-9 accounting exec	61
6-10 ip http authentication aaa	62
6-11 aaa local authentication attempts	63
6-12 aaa local authentication lockout-time	63
6-13 aaa authentication network	64
6-14 aaa authorization network	64
6-15 aaa accounting network	65
6-16 aaa group server	66
6-17 server	66
6-18 show aaa	67
6-19 show aaa server group	68
6-20 show aaa authentication	68
6-21 show aaa authorization	69
6-22 show aaa accounting	70
6-23 show aaa application	70
6-24 ip vrf forwarding	72
Border Gateway Protocol (BGP) Commands	73
7-1 address-family ipv4	73
7-2 address-family vpnv4	73
7-3 aggregate-address	74
7-4 bgp router-id	75
7-5 bgp aggregate-next-hop-check	75
7-6 bgp always-compare-med	76
7-7 bgp bestpath as-path ignore	77
7-8 bgp bestpath compare-confed-aspath	77
7-9 bgp bestpath compare-routerid	78
7-10 bgp bestpath med confed	78
7-11 bgp bestpath med missing-as-worst	79
7-12 bgp client-to-client reflection	79
7-13 bgp cluster-id	80
7-14 bgp confederation identifier	81
7-15 bgp confederation peers	81
7-16 bgp dampening	82
7-17 bgp default ipv4-unicast	83
7-18 bgp default local-preference	84
7-19 bgp deterministic-med	85
7-20 bgp enforce-first-as	85
7-21 bgp fast-external-fallover	86
7-22 clear ip bgp	86
7-23 clear ip bgp vrf	87
7-24 clear ip bgp vpnv4	88
7-25 clear ip bgp dampening	89
7-26 clear ip bgp dampening vrf	90
7-27 clear ip bgp external	90
7-28 clear ip bgp flap-statistics	91
7-29 clear ip bgp flap-statistics vrf	92
7-30 clear ip bgp peer-group	92
7-31 exit-address-family	94
7-32 ip as-path access-list	94
7-33 ip community-list	95
7-34 ip extcommunity-list	96
7-35 neighbor activate	98
7-36 neighbor advertisement-interval	98
7-37 neighbor allowas-in	99
7-38 neighbor as-override	100
7-39 neighbor capability orf prefix-list	100
7-40 neighbor default-originate	102
7-41 neighbor description	102
7-42 neighbor ebgp-multihop	103
7-43 neighbor filter-list	104
7-44 neighbor maximum-prefix	105
7-45 neighbor next-hop-self	106
7-46 neighbor password	107
7-47 neighbor peer-group (add group member)	107
7-48 neighbor peer-group (create group)	109
7-49 neighbor prefix-list	110
7-50 neighbor remote-as	111
7-51 neighbor remove-private-as	111
7-52 neighbor route-map	112
7-53 neighbor route-reflector-client	113
7-54 neighbor send-community	114
7-55 neighbor send-community (VPNv4)	115
7-56 neighbor shutdown	115
7-57 neighbor soft-reconfiguration inbound	116
7-58 neighbor soo	117
7-59 neighbor timers	118
7-60 neighbor unsuppress-map	118
7-61 neighbor update-source	119
7-62 neighbor weight	120
7-63 network (BGP)	120
7-64 redistribute	121
7-65 route-preference	122
7-66 router bgp	123
7-67 show ip as-path access-list	124
7-68 show ip bgp	125
7-69 show ip bgp all	127
7-70 show ip bgp rd	129
7-71 show ip bgp vrf	131
7-72 show ip bgp aggregate	133
7-73 show ip bgp cidr-only	134
7-74 show ip bgp community	136
7-75 show ip bgp community-list	137
7-76 show ip bgp confederation	139
7-77 show ip bgp dampening dampened-paths	139
7-78 show ip bgp dampening parameters	141
7-79 show ip bgp dampening flap-statistics	142
7-80 show ip bgp filter-list	143
7-81 show ip bgp inconsistent-as	145
7-82 show ip bgp neighbors	146
7-83 show ip bgp network	154
7-84 show ip bgp redistribute	155
7-85 show ip bgp reflection	156
7-86 show ip bgp route-map	157
7-87 show ip bgp parameters	158
7-88 show ip bgp peer-group	160
7-89 show ip bgp quote-regexp	162
7-90 show ip bgp summary	164
7-91 show ip community-list	165
7-92 show ip extcommunity-list	166
7-93 synchronization	167
7-94 timers bgp	168
7-95 debug ip bgp	169
7-96 debug ip bgp fsm-event	169
7-97 debug ip bgp packet	169
7-98 debug ip bgp route-map	170
7-99 debug ip bgp prefix-list	171
7-100 debug ip bgp show global	171
7-101 debug ip bgp show neighbors	172
7-102 debug ip bgp show peer-group	173
7-103 debug ip bgp show network	174
7-104 debug ip bgp show aggregate	175
7-105 debug ip bgp show damp	175
7-106 debug ip bgp show interface	176
7-107 debug ip bgp show timer	177
7-108 debug ip bgp show redistribution	177
7-109 debug ip bgp show as-path-access-list	178
7-110 debug ip bgp show community-list	179
Compound Authentication Commands	180
8-1 network-access guest-vlan	180
8-2 show network-access guest-vlan	180
8-3 network-access authentication-mode	181
8-4 show network-access auth-configure	181
Configuration Commands	183
9-1 show running-config	183
9-2 show bootup-config	183
9-3 execute flash:	184
9-4 configure replace	185
9-5 boot config flash	187
9-6 copy running-config	187
9-7 copy bootup-config	189
9-8 copy	191
Counter Commands	195
10-1 clear counters	195
10-2 show interfaces counters	195
10-3 show utilization	196
CPU Commands	198
11-1 show cpu	198
Debug Commands	199
12-1 debug enable	199
12-2 error-reboot enable	199
12-3 copy error-log	200
12-4 copy debug buffer	200
12-5 debug output	201
12-6 show error-log	201
12-7 clear error-log	202
12-8 show error-reboot	202
12-9 clear debug buffer	203
12-10 show debug buffer	203
12-11 show debug status	204
12-12 show tech-support	204
12-13 copy tech-support	205
12-14 debug show module_version	206
DHCP Relay Commands	207
13-1 service dhcp	207
13-2 ip helper-address	207
13-3 ip dhcp relay information option82	207
13-4 ip dhcp relay option60	208
13-5 ip dhcp relay option60 identifier	208
13-6 ip dhcp relay option60 default	209
13-7 show ip dhcp relay option60	209
13-8 ip dhcp relay option61	210
13-9 ip dhcp relay option61 identifier	211
13-10 ip dhcp relay option61 default	211
13-11 show ip dhcp relay option61	212
DHCP Server Commands	213
14-1 bootfile	213
14-2 clear ip dhcp binding	213
14-3 clear ip dhcp conflict	214
14-4 default-router	215
14-5 dns-server	215
14-6 domain-name	216
14-7 hardware-address	216
14-8 host	217
14-9 ip dhcp excluded-address	218
14-10 ip dhcp ping packet	218
14-11 ip dhcp ping timeout	219
14-12 ip dhcp pool	219
14-13 lease	220
14-14 netbios-name-server	220
14-15 netbios-node-type	221
14-16 network	222
14-17 next-server	223
14-18 service dhcp	223
14-19 show ip dhcp excluded-address	223
14-20 show ip dhcp binding	224
14-21 show ip dhcp conflict	225
14-22 show ip dhcp pool	226
14-23 show ip dhcp server	226
14-24 vrf	227
Distance Vector Multicast Routing Protocol (DVMRP) Commands	228
15-1 ip dvmrp	228
15-2 ip dvmrp metric	228
15-3 show ip dvmrp interface	229
15-4 show ip dvmrp neighbor	230
15-5 show ip dvmrp route	231
D-Link License Management System Commands	233
16-1 install dlms activation_code	233
16-2 show dlms license	233
Domain Name System (DNS) Commands	235
17-1 ip domain-lookup	235
17-2 ip name-server	235
17-3 ip host	236
17-4 clear host	236
17-5 show hosts	236
17-6 ip dns server	237
DoS Attack Prevention Commands	238
18-1 defense	238
18-2 show defense	240
Enhanced Transmission Selection (ETS) Commands	241
19-1 ets willing	241
19-2 ets recommend	241
19-3 show ets interface	242
File System Commands	245
20-1 dir	245
20-2 ls	245
20-3 cp	246
20-4 cd	246
20-5 rename	247
20-6 mkdir	247
20-7 rmdir	248
20-8 rm	248
20-9 del	248
20-10 makefs	249
20-11 pwd	249
Filter Database (FDB) Commands	251
21-1 mac-address-table aging-time	251
21-2 clear mac-address-table	251
21-3 mac-address-table static	252
21-4 mac-address-table filtering	253
21-5 mac-address-table notification	254
21-6 snmp trap mac-notification	255
21-7 show mac-address-table aging-time	255
21-8 show mac-address-table notification	255
21-9 show mac-address-table	256
GARP VLAN Registration Protocol (GVRP) Commands	259
22-1 clear gvrp statistics interface	259
22-2 gvrp (Global)	259
22-3 gvrp (Interface)	259
22-4 gvrp advertise (Interface)	260
22-5 gvrp dynamic-vlan-creation	261
22-6 forbidden vlan	261
22-7 gvrp timer	262
22-8 show gvrp	262
22-9 show gvrp statistics	263
Internet Group Management Protocol (IGMP) Commands	265
23-1 clear ip igmp group	265
23-2 ip igmp static-group	265
23-3 ip igmp last-member-query-interval	266
23-4 ip igmp query-interval	266
23-5 ip igmp query-max-response-time	267
23-6 ip igmp robustness-variable	267
23-7 ip igmp version	268
23-8 ip igmp check-subscriber-source-network	269
23-9 show ip igmp interface	269
23-10 show ip igmp groups	270
IGMP Snooping Commands	274
24-1 ip igmp snooping	274
24-2 ip igmp snooping fast-leave	274
24-3 ip igmp snooping mrouter	275
24-4 ip igmp snooping dyn-mr-aging-time	276
24-5 ip igmp snooping querier	276
24-6 ip igmp snooping static-group	277
24-7 ip igmp snooping max-response-time	278
24-8 ip igmp snooping query-interval	279
24-9 ip igmp snooping version	279
24-10 clear ip igmp snooping statistics	280
24-11 show ip igmp snooping	281
24-12 show ip igmp snooping querier	282
24-13 show ip igmp snooping groups	283
24-14 show ip igmp snooping static-group	284
24-15 show ip igmp snooping mrouter	285
24-16 show ip igmp snooping forwarding-table	286
24-17 show ip igmp snooping statistics	287
Interface Commands	289
25-1 interface out-band	289
25-2 interface loopback	289
25-3 shutdown	289
25-4 show interface out-band	290
25-5 show interface loopback	290
IP Access List Commands	292
26-1 ip standard access-list	292
26-2 deny	292
26-3 permit	293
26-4 show ip standard access-list	293
IP Address Commands	295
27-1 ip address	295
27-2 ip address dhcp	295
27-3 ip directed-broadcast	296
27-4 ip default-gateway	296
27-5 show ip interface	297
IP Prefix List Commands	298
28-1 ip prefix-list	298
28-2 ip prefix-list description	299
28-3 clear ip prefix-list counter	299
28-4 show ip prefix-list	300
IP Multicast (IPMC) Commands	302
29-1 ip mroute	302
29-2 ip multicast-routing	303
29-3 show ip mroute	303
29-4 show ip rpf	305
29-5 show ip multicast interface	306
29-6 show ip multicast-routing	307
LINE Commands	309
30-1 line	309
30-2 exec-timeout	309
30-3 speed	310
30-4 show line	310
Link Aggregation Commands	311
31-1 aggregateport load-balance	311
31-2 lacp port-priority	311
31-3 lacp system-priority	312
31-4 lacp timeout	312
31-5 port-group	313
31-6 port-group mode	313
31-7 show aggregateport	314
31-8 show lacp summary	314
Link Layer Discovery Protocol (LLDP) Commands	317
32-1 lldp run	317
32-2 lldp forward	317
32-3 lldp message-tx-interval	318
32-4 lldp message-tx-hold-multiplier	318
32-5 lldp tx-delay	319
32-6 lldp reinit-delay	319
32-7 lldp notification-interval	320
32-8 lldp notification	321
32-9 lldp management-address	321
32-10 lldp transmit	322
32-11 lldp receive	322
32-12 lldp tlv-select	323
32-13 lldp dot1-tlv-select	324
32-14 lldp dot3-tlv-select	326
32-15 show lldp	327
32-16 show lldp management-address	327
32-17 show lldp interface	328
32-18 show lldp local interface	329
32-19 show lldp remote interface	331
32-20 show lldp statistic	333
32-21 show lldp statistic interface	333
LLDP-DCBX Commands	335
33-1 lldp-dcbx run	335
33-2 lldp-dcbx tlv-select	335
33-3 show lldp-dcbx interface	336
33-4 show lldp-dcbx local interface	336
33-5 show lldp-dcbx remote interface	338
LLDP-MED Commands	340
34-1 lldp-med fast-start-repeat-count	340
34-2 lldp-med notification-topo-change	340
34-3 lldp-med tlv-select	340
34-4 show lldp-med	341
34-5 show lldp-med interface	342
34-6 show lldp-med local	342
34-7 show lldp-med remote	343
Memory Commands	345
35-1 show memory	345
Mirror Commands	346
36-1 monitor session	346
36-2 no monitor session all	347
36-3 show monitor	348
Multicast Filter Mode Commands	350
37-1 multicast filtering-mode	350
37-2 show multicast filtering-mode	350
Multiprotocol Label Switching (MPLS) Commands	352
38-1 mpls ip (global configuration)	352
38-2 snmp-server enable traps mpls lsp	352
38-3 mpls ip (interface configuration)	352
38-4 mpls static ftn	353
38-5 mpls static l2vc-ftn	353
38-6 mpls static ilm	354
38-7 mpls label protocol ldp (global configuration)	355
38-8 snmp-server enable traps mpls ldp	355
38-9 mpls label protocol ldp (interface configuration)	356
38-10 mpls ldp hello-holdtime	356
38-11 mpls ldp hello-interval	357
38-12 mpls ldp targeted-hello-accept	357
38-13 mpls ldp targeted-peer	358
38-14 targeted-hello	358
38-15 ldp router-id	359
38-16 transport-address	359
38-17 backoff maximum	360
38-18 keepalive-holdtime	361
38-19 label-retention-mode	361
38-20 lsp-control-mode	362
38-21 mpls ldp distribution-mode	363
38-22 loop-detection	363
38-23 max-hop-count	364
38-24 max-path-vector	364
38-25 explicit-null	365
38-26 md5 authentication	365
38-27 neighbor password	366
38-28 show mpls	366
38-29 show mpls interface	367
38-30 show mpls forwarding-table	367
38-31 show mpls ldp parameter	369
38-32 show mpls ldp interface	370
38-33 show mpls ldp targeted-peer	371
38-34 show mpls ldp discovery	371
38-35 show mpls ldp neighbor	372
38-36 show mpls ldp session	373
38-37 show mpls ldp bindings	374
38-38 show mpls ldp statistic	375
38-39 show mpls ldp neighbor password	376
38-40 ping lsp	376
38-41 traceroute lsp	377
38-42 lsp trigger	378
38-43 show lsp trigger	379
38-44 mpls qos policy	379
38-45 trust-exp	380
38-46 class-map	380
38-47 match	383
38-48 show mpls qos	383
Network Connectivity Test Commands	385
39-1 ping	385
39-2 traceroute	385
Open Shortest Path First (OSPF) Version 2 Commands	387
40-1 area	387
40-2 area default-cost	387
40-3 area nssa	388
40-4 area range	389

Match case Limit results 1 per page

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

230

DoS Attack Prevention Commands

18-1

defense

This command is used to defend DoS attacks. Use the no form of the command to disable the defense attack

Parameters

land

Enable the defense land attack function.

blat

Enable the defense blat attack function.

null-scan

Enable the defense null scan attack function.

xmascan

Enable the defense xmas scan attack function.

tcp-synfin

Enable the defense tcp with synfin attack function.

port-less-1024

Enable the defense source port less 1024 attack function.

ping-death

Enable the defense ping of death attack function.

tiny-frag

Enable the defense tcp tiny fragment attack function.

Default

Defense land, blat, null-scan, xmascan, tcp-synfin, port-less-1024, ping-death, tiny-

frag disabled.

Command Mode

Global Configuration Mode.

Command Default Level

Level: 15.

Usage Guideline

Defense DoS attack types are listed as bellow:

Land attack

A Land attack is a DoS attack that consists of sending a special poison spoofed

packet to a computer, causing it to lock up. A Land attack involves IP packets

where the source and destination address are set to address the same

device. The reason a Land attack works is because it causes the machine to

reply to itself continuously.

Detect method

- Check whether the source address is equal to destination

address of a received IP packet.

Blat attack

A DoS attack in which the TCP/IP stack is flooded with SYN packets that have

spoofed source port number that match the destination port number causes

the machine to lock up.

Detect method

- Check whether the source port is equal to destination port of a

received TCP packet.

Null Scan

Hackers use the TCP NULL scan to identify listening TCP ports. This scan also

uses a series of strangely configured TCP packets, which contain no flags.

Again, this type of scan can get through some firewalls and boundary routers

that filter on incoming TCP packets with standard flag settings. If the target

device’s TCP port is closed, the target device sends a TCP RST packet in

reply. If the target device’s TCP port is open, the target discards the TCP

NULL scan, sending no reply.

Detect method

- Check whether a received TCP packet contains a sequence

number of 0 and no flags.