Home » D-Link Manuals » Hubs & Switches » D-Link DXS-3600-EM-8T » Manual Viewer

D-Link DXS-3600-EM-8T CLI Guide - Page 239

Xmas Scan, Detect method, SYNFIN, SYN with source port < 1024, Ping of Death, TCP Tiny fragment

Get D-Link DXS-3600-EM-8T PDF manuals and user guides

View all D-Link DXS-3600-EM-8T manuals

Add to My Manuals
Save this manual to your list of manuals

Page 239 highlights

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide Xmas Scan Hackers use the TCP Xmas scan to identify listening TCP ports. This scan uses a series of strangely configured TCP packets, which contain the Urgent (URG), Push (PSH), and FIN flags. Again, this type of scan can get through some firewalls and boundary routers that filter on incoming TCP packets with standard flag settings. If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP Xmas scan, sending no reply. Detect method - Check whether a received TCP packet contains URG, Push and FIN flags. SYNFIN To use this type of scan, an attacker first sends a Transmission Control Protocol (TCP) packet that have the Finish (FIN) and Synchronize (SYN) flags set. An open port will respond with Acknowledge (ACK) and SYN TCP packets, but a closed port will return the ACK and Reset (RST) flags set. Detect method - Check whether a received TCP packet contains FIN and SYN flags. SYN with source port < 1024 SYN packet with source port less than 1024; the Internet default services use L4 port between 1 and 1023. If the source port of a TCP packet with SYN flag is less than 1024, the packet should be abnormal. Detect method - Check whether the packets source ports are less than 1024 packets. Ping of Death A ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 64 bytes in size; many computers cannot handle a ping larger than the maximum IP packet size, which is 65,535 bytes. Sending a ping of this size can crash the target computer. Traditionally, this bug has been relatively easy to exploit. Generally, sending a 65536 byte ping packet is illegal according to networking protocol, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often cause a system crash. Detect method - Detect whether received packets are fragmented ICMP packets. TCP Tiny fragment attack Use the IP fragmentation to create extremely small fragments and force the TCP header information into a separate packet fragment to pass through the check function of the router and issue an attack. Detect method - Check whether the packets are TCP tiny fragment packets. Example This example shows how to enable defense for all attack types. DXS-3600-32S#configure terminal DXS-3600-32S(config)#defense enable Success DXS-3600-32S(config)# Example This example shows how to enable defense land attack. DXS-3600-32S#configure terminal DXS-3600-32S(config)#defense land enable Success DXS-3600-32S(config)# 231

Section	Page
Basic CLI Commands	9
1-1 help	9
1-2 prompt	10
1-3 banner login	10
1-4 exit	12
1-5 end	12
802.1X Commands	14
2-1 dot1x default	14
2-2 dot1x port-control	14
2-3 dot1x pae authenticator	15
2-4 dot1x control-direction	15
2-5 dot1x timeout	16
2-6 dot1x max-req	17
2-7 dot1x reauthentication	17
2-8 dot1x re-authenticate	18
2-9 dot1x initialize	18
2-10 dot1x system-auth-control	19
2-11 dot1x system-max-user	19
2-12 dot1x port-max-user	20
2-13 dot1x system-fwd-pdu	20
2-14 dot1x port-fwd-pdu	21
2-15 show dot1x	21
Access Control List (ACL) Commands	25
3-1 ip access-list standard	25
3-2 permit \| deny (ip standard access-list)	25
3-3 ip access-list extended	26
3-4 permit \| deny (ip extended access-list)	27
3-5 ipv6 access-list	29
3-6 permit \| deny (ipv6 access-list)	29
3-7 mac access-list	31
3-8 permit \| deny (mac access-list)	32
3-9 expert access-list	33
3-10 permit \| deny (expert access-list)	34
3-11 ip access-list resequence	36
3-12 list-remark text	37
3-13 show access-lists	37
3-14 ip access-group	38
3-15 ipv6 traffic-filter	39
3-16 mac access-group	40
3-17 expert access-group	40
3-18 show access-group	41
3-19 show ip access-group	42
3-20 show ipv6 access-group	42
3-21 show mac access-group	43
3-22 show expert access-group	43
3-23 vlan access-map	44
3-24 match ip / mac address	44
3-25 action	45
3-26 vlan filter	46
3-27 show vlan access-map	46
3-28 show vlan filter	47
Address Resolution Protocol (ARP) Commands	48
4-1 arp	48
4-2 arp timeout	48
4-3 clear arp cache	49
4-4 show arp	50
4-5 show arp counter	52
4-6 show arp timeout	52
4-7 show ip arp	53
Alternate Store and Forward (ASF) Commands	54
5-1 enable asf	54
5-2 no asf	54
5-3 show asf	54
Authentication, Authorization, and Accounting (AAA) Commands	56
6-1 aaa	56
6-2 aaa authentication login	56
6-3 aaa authentication enable	57
6-4 login authentication	58
6-5 aaa authorization exec	58
6-6 aaa authorization console	59
6-7 authorization exec	60
6-8 aaa accounting exec	60
6-9 accounting exec	61
6-10 ip http authentication aaa	62
6-11 aaa local authentication attempts	63
6-12 aaa local authentication lockout-time	63
6-13 aaa authentication network	64
6-14 aaa authorization network	64
6-15 aaa accounting network	65
6-16 aaa group server	66
6-17 server	66
6-18 show aaa	67
6-19 show aaa server group	68
6-20 show aaa authentication	68
6-21 show aaa authorization	69
6-22 show aaa accounting	70
6-23 show aaa application	70
6-24 ip vrf forwarding	72
Border Gateway Protocol (BGP) Commands	73
7-1 address-family ipv4	73
7-2 address-family vpnv4	73
7-3 aggregate-address	74
7-4 bgp router-id	75
7-5 bgp aggregate-next-hop-check	75
7-6 bgp always-compare-med	76
7-7 bgp bestpath as-path ignore	77
7-8 bgp bestpath compare-confed-aspath	77
7-9 bgp bestpath compare-routerid	78
7-10 bgp bestpath med confed	78
7-11 bgp bestpath med missing-as-worst	79
7-12 bgp client-to-client reflection	79
7-13 bgp cluster-id	80
7-14 bgp confederation identifier	81
7-15 bgp confederation peers	81
7-16 bgp dampening	82
7-17 bgp default ipv4-unicast	83
7-18 bgp default local-preference	84
7-19 bgp deterministic-med	85
7-20 bgp enforce-first-as	85
7-21 bgp fast-external-fallover	86
7-22 clear ip bgp	86
7-23 clear ip bgp vrf	87
7-24 clear ip bgp vpnv4	88
7-25 clear ip bgp dampening	89
7-26 clear ip bgp dampening vrf	90
7-27 clear ip bgp external	90
7-28 clear ip bgp flap-statistics	91
7-29 clear ip bgp flap-statistics vrf	92
7-30 clear ip bgp peer-group	92
7-31 exit-address-family	94
7-32 ip as-path access-list	94
7-33 ip community-list	95
7-34 ip extcommunity-list	96
7-35 neighbor activate	98
7-36 neighbor advertisement-interval	98
7-37 neighbor allowas-in	99
7-38 neighbor as-override	100
7-39 neighbor capability orf prefix-list	100
7-40 neighbor default-originate	102
7-41 neighbor description	102
7-42 neighbor ebgp-multihop	103
7-43 neighbor filter-list	104
7-44 neighbor maximum-prefix	105
7-45 neighbor next-hop-self	106
7-46 neighbor password	107
7-47 neighbor peer-group (add group member)	107
7-48 neighbor peer-group (create group)	109
7-49 neighbor prefix-list	110
7-50 neighbor remote-as	111
7-51 neighbor remove-private-as	111
7-52 neighbor route-map	112
7-53 neighbor route-reflector-client	113
7-54 neighbor send-community	114
7-55 neighbor send-community (VPNv4)	115
7-56 neighbor shutdown	115
7-57 neighbor soft-reconfiguration inbound	116
7-58 neighbor soo	117
7-59 neighbor timers	118
7-60 neighbor unsuppress-map	118
7-61 neighbor update-source	119
7-62 neighbor weight	120
7-63 network (BGP)	120
7-64 redistribute	121
7-65 route-preference	122
7-66 router bgp	123
7-67 show ip as-path access-list	124
7-68 show ip bgp	125
7-69 show ip bgp all	127
7-70 show ip bgp rd	129
7-71 show ip bgp vrf	131
7-72 show ip bgp aggregate	133
7-73 show ip bgp cidr-only	134
7-74 show ip bgp community	136
7-75 show ip bgp community-list	137
7-76 show ip bgp confederation	139
7-77 show ip bgp dampening dampened-paths	139
7-78 show ip bgp dampening parameters	141
7-79 show ip bgp dampening flap-statistics	142
7-80 show ip bgp filter-list	143
7-81 show ip bgp inconsistent-as	145
7-82 show ip bgp neighbors	146
7-83 show ip bgp network	154
7-84 show ip bgp redistribute	155
7-85 show ip bgp reflection	156
7-86 show ip bgp route-map	157
7-87 show ip bgp parameters	158
7-88 show ip bgp peer-group	160
7-89 show ip bgp quote-regexp	162
7-90 show ip bgp summary	164
7-91 show ip community-list	165
7-92 show ip extcommunity-list	166
7-93 synchronization	167
7-94 timers bgp	168
7-95 debug ip bgp	169
7-96 debug ip bgp fsm-event	169
7-97 debug ip bgp packet	169
7-98 debug ip bgp route-map	170
7-99 debug ip bgp prefix-list	171
7-100 debug ip bgp show global	171
7-101 debug ip bgp show neighbors	172
7-102 debug ip bgp show peer-group	173
7-103 debug ip bgp show network	174
7-104 debug ip bgp show aggregate	175
7-105 debug ip bgp show damp	175
7-106 debug ip bgp show interface	176
7-107 debug ip bgp show timer	177
7-108 debug ip bgp show redistribution	177
7-109 debug ip bgp show as-path-access-list	178
7-110 debug ip bgp show community-list	179
Compound Authentication Commands	180
8-1 network-access guest-vlan	180
8-2 show network-access guest-vlan	180
8-3 network-access authentication-mode	181
8-4 show network-access auth-configure	181
Configuration Commands	183
9-1 show running-config	183
9-2 show bootup-config	183
9-3 execute flash:	184
9-4 configure replace	185
9-5 boot config flash	187
9-6 copy running-config	187
9-7 copy bootup-config	189
9-8 copy	191
Counter Commands	195
10-1 clear counters	195
10-2 show interfaces counters	195
10-3 show utilization	196
CPU Commands	198
11-1 show cpu	198
Debug Commands	199
12-1 debug enable	199
12-2 error-reboot enable	199
12-3 copy error-log	200
12-4 copy debug buffer	200
12-5 debug output	201
12-6 show error-log	201
12-7 clear error-log	202
12-8 show error-reboot	202
12-9 clear debug buffer	203
12-10 show debug buffer	203
12-11 show debug status	204
12-12 show tech-support	204
12-13 copy tech-support	205
12-14 debug show module_version	206
DHCP Relay Commands	207
13-1 service dhcp	207
13-2 ip helper-address	207
13-3 ip dhcp relay information option82	207
13-4 ip dhcp relay option60	208
13-5 ip dhcp relay option60 identifier	208
13-6 ip dhcp relay option60 default	209
13-7 show ip dhcp relay option60	209
13-8 ip dhcp relay option61	210
13-9 ip dhcp relay option61 identifier	211
13-10 ip dhcp relay option61 default	211
13-11 show ip dhcp relay option61	212
DHCP Server Commands	213
14-1 bootfile	213
14-2 clear ip dhcp binding	213
14-3 clear ip dhcp conflict	214
14-4 default-router	215
14-5 dns-server	215
14-6 domain-name	216
14-7 hardware-address	216
14-8 host	217
14-9 ip dhcp excluded-address	218
14-10 ip dhcp ping packet	218
14-11 ip dhcp ping timeout	219
14-12 ip dhcp pool	219
14-13 lease	220
14-14 netbios-name-server	220
14-15 netbios-node-type	221
14-16 network	222
14-17 next-server	223
14-18 service dhcp	223
14-19 show ip dhcp excluded-address	223
14-20 show ip dhcp binding	224
14-21 show ip dhcp conflict	225
14-22 show ip dhcp pool	226
14-23 show ip dhcp server	226
14-24 vrf	227
Distance Vector Multicast Routing Protocol (DVMRP) Commands	228
15-1 ip dvmrp	228
15-2 ip dvmrp metric	228
15-3 show ip dvmrp interface	229
15-4 show ip dvmrp neighbor	230
15-5 show ip dvmrp route	231
D-Link License Management System Commands	233
16-1 install dlms activation_code	233
16-2 show dlms license	233
Domain Name System (DNS) Commands	235
17-1 ip domain-lookup	235
17-2 ip name-server	235
17-3 ip host	236
17-4 clear host	236
17-5 show hosts	236
17-6 ip dns server	237
DoS Attack Prevention Commands	238
18-1 defense	238
18-2 show defense	240
Enhanced Transmission Selection (ETS) Commands	241
19-1 ets willing	241
19-2 ets recommend	241
19-3 show ets interface	242
File System Commands	245
20-1 dir	245
20-2 ls	245
20-3 cp	246
20-4 cd	246
20-5 rename	247
20-6 mkdir	247
20-7 rmdir	248
20-8 rm	248
20-9 del	248
20-10 makefs	249
20-11 pwd	249
Filter Database (FDB) Commands	251
21-1 mac-address-table aging-time	251
21-2 clear mac-address-table	251
21-3 mac-address-table static	252
21-4 mac-address-table filtering	253
21-5 mac-address-table notification	254
21-6 snmp trap mac-notification	255
21-7 show mac-address-table aging-time	255
21-8 show mac-address-table notification	255
21-9 show mac-address-table	256
GARP VLAN Registration Protocol (GVRP) Commands	259
22-1 clear gvrp statistics interface	259
22-2 gvrp (Global)	259
22-3 gvrp (Interface)	259
22-4 gvrp advertise (Interface)	260
22-5 gvrp dynamic-vlan-creation	261
22-6 forbidden vlan	261
22-7 gvrp timer	262
22-8 show gvrp	262
22-9 show gvrp statistics	263
Internet Group Management Protocol (IGMP) Commands	265
23-1 clear ip igmp group	265
23-2 ip igmp static-group	265
23-3 ip igmp last-member-query-interval	266
23-4 ip igmp query-interval	266
23-5 ip igmp query-max-response-time	267
23-6 ip igmp robustness-variable	267
23-7 ip igmp version	268
23-8 ip igmp check-subscriber-source-network	269
23-9 show ip igmp interface	269
23-10 show ip igmp groups	270
IGMP Snooping Commands	274
24-1 ip igmp snooping	274
24-2 ip igmp snooping fast-leave	274
24-3 ip igmp snooping mrouter	275
24-4 ip igmp snooping dyn-mr-aging-time	276
24-5 ip igmp snooping querier	276
24-6 ip igmp snooping static-group	277
24-7 ip igmp snooping max-response-time	278
24-8 ip igmp snooping query-interval	279
24-9 ip igmp snooping version	279
24-10 clear ip igmp snooping statistics	280
24-11 show ip igmp snooping	281
24-12 show ip igmp snooping querier	282
24-13 show ip igmp snooping groups	283
24-14 show ip igmp snooping static-group	284
24-15 show ip igmp snooping mrouter	285
24-16 show ip igmp snooping forwarding-table	286
24-17 show ip igmp snooping statistics	287
Interface Commands	289
25-1 interface out-band	289
25-2 interface loopback	289
25-3 shutdown	289
25-4 show interface out-band	290
25-5 show interface loopback	290
IP Access List Commands	292
26-1 ip standard access-list	292
26-2 deny	292
26-3 permit	293
26-4 show ip standard access-list	293
IP Address Commands	295
27-1 ip address	295
27-2 ip address dhcp	295
27-3 ip directed-broadcast	296
27-4 ip default-gateway	296
27-5 show ip interface	297
IP Prefix List Commands	298
28-1 ip prefix-list	298
28-2 ip prefix-list description	299
28-3 clear ip prefix-list counter	299
28-4 show ip prefix-list	300
IP Multicast (IPMC) Commands	302
29-1 ip mroute	302
29-2 ip multicast-routing	303
29-3 show ip mroute	303
29-4 show ip rpf	305
29-5 show ip multicast interface	306
29-6 show ip multicast-routing	307
LINE Commands	309
30-1 line	309
30-2 exec-timeout	309
30-3 speed	310
30-4 show line	310
Link Aggregation Commands	311
31-1 aggregateport load-balance	311
31-2 lacp port-priority	311
31-3 lacp system-priority	312
31-4 lacp timeout	312
31-5 port-group	313
31-6 port-group mode	313
31-7 show aggregateport	314
31-8 show lacp summary	314
Link Layer Discovery Protocol (LLDP) Commands	317
32-1 lldp run	317
32-2 lldp forward	317
32-3 lldp message-tx-interval	318
32-4 lldp message-tx-hold-multiplier	318
32-5 lldp tx-delay	319
32-6 lldp reinit-delay	319
32-7 lldp notification-interval	320
32-8 lldp notification	321
32-9 lldp management-address	321
32-10 lldp transmit	322
32-11 lldp receive	322
32-12 lldp tlv-select	323
32-13 lldp dot1-tlv-select	324
32-14 lldp dot3-tlv-select	326
32-15 show lldp	327
32-16 show lldp management-address	327
32-17 show lldp interface	328
32-18 show lldp local interface	329
32-19 show lldp remote interface	331
32-20 show lldp statistic	333
32-21 show lldp statistic interface	333
LLDP-DCBX Commands	335
33-1 lldp-dcbx run	335
33-2 lldp-dcbx tlv-select	335
33-3 show lldp-dcbx interface	336
33-4 show lldp-dcbx local interface	336
33-5 show lldp-dcbx remote interface	338
LLDP-MED Commands	340
34-1 lldp-med fast-start-repeat-count	340
34-2 lldp-med notification-topo-change	340
34-3 lldp-med tlv-select	340
34-4 show lldp-med	341
34-5 show lldp-med interface	342
34-6 show lldp-med local	342
34-7 show lldp-med remote	343
Memory Commands	345
35-1 show memory	345
Mirror Commands	346
36-1 monitor session	346
36-2 no monitor session all	347
36-3 show monitor	348
Multicast Filter Mode Commands	350
37-1 multicast filtering-mode	350
37-2 show multicast filtering-mode	350
Multiprotocol Label Switching (MPLS) Commands	352
38-1 mpls ip (global configuration)	352
38-2 snmp-server enable traps mpls lsp	352
38-3 mpls ip (interface configuration)	352
38-4 mpls static ftn	353
38-5 mpls static l2vc-ftn	353
38-6 mpls static ilm	354
38-7 mpls label protocol ldp (global configuration)	355
38-8 snmp-server enable traps mpls ldp	355
38-9 mpls label protocol ldp (interface configuration)	356
38-10 mpls ldp hello-holdtime	356
38-11 mpls ldp hello-interval	357
38-12 mpls ldp targeted-hello-accept	357
38-13 mpls ldp targeted-peer	358
38-14 targeted-hello	358
38-15 ldp router-id	359
38-16 transport-address	359
38-17 backoff maximum	360
38-18 keepalive-holdtime	361
38-19 label-retention-mode	361
38-20 lsp-control-mode	362
38-21 mpls ldp distribution-mode	363
38-22 loop-detection	363
38-23 max-hop-count	364
38-24 max-path-vector	364
38-25 explicit-null	365
38-26 md5 authentication	365
38-27 neighbor password	366
38-28 show mpls	366
38-29 show mpls interface	367
38-30 show mpls forwarding-table	367
38-31 show mpls ldp parameter	369
38-32 show mpls ldp interface	370
38-33 show mpls ldp targeted-peer	371
38-34 show mpls ldp discovery	371
38-35 show mpls ldp neighbor	372
38-36 show mpls ldp session	373
38-37 show mpls ldp bindings	374
38-38 show mpls ldp statistic	375
38-39 show mpls ldp neighbor password	376
38-40 ping lsp	376
38-41 traceroute lsp	377
38-42 lsp trigger	378
38-43 show lsp trigger	379
38-44 mpls qos policy	379
38-45 trust-exp	380
38-46 class-map	380
38-47 match	383
38-48 show mpls qos	383
Network Connectivity Test Commands	385
39-1 ping	385
39-2 traceroute	385
Open Shortest Path First (OSPF) Version 2 Commands	387
40-1 area	387
40-2 area default-cost	387
40-3 area nssa	388
40-4 area range	389

Match case Limit results 1 per page

DXS-3600 Series 10GbE Layer 2/3 Switch CLI Reference Guide

231

Xmas Scan

Hackers use the TCP Xmas scan to identify listening TCP ports. This scan uses a

series of strangely configured TCP packets, which contain the Urgent (URG),

Push (PSH), and FIN flags. Again, this type of scan can get through some

firewalls and boundary routers that filter on incoming TCP packets with

standard flag settings. If the target device’s TCP port is closed, the target

device sends a TCP RST packet in reply. If the target device’s TCP port is

open, the target discards the TCP Xmas scan, sending no reply.

Detect method

- Check whether a received TCP packet contains URG, Push and

FIN flags.

SYNFIN

To use this type of scan, an attacker first sends a Transmission Control Protocol

(TCP) packet that have the Finish (FIN) and Synchronize (SYN) flags set. An

open port will respond with Acknowledge (ACK) and SYN TCP packets, but a

closed port will return the ACK and Reset (RST) flags set.

Detect method

- Check whether a received TCP packet contains FIN and SYN

flags.

SYN with source port < 1024

SYN packet with source port less than 1024; the Internet default services use L4

port between 1 and 1023. If the source port of a TCP packet with SYN flag is

less than 1024, the packet should be abnormal.

Detect method

- Check whether the packets source ports are less than 1024

packets.

Ping of Death

A ping of death is a type of attack on a computer that involves sending a

malformed or otherwise malicious ping to a computer. A ping is normally 64

bytes in size; many computers cannot handle a ping larger than the maximum

IP packet size, which is 65,535 bytes. Sending a ping of this size can crash

the target computer. Traditionally, this bug has been relatively easy to exploit.

Generally, sending a 65536 byte ping packet is illegal according to networking

protocol, but a packet of such a size can be sent if it is fragmented; when the

target computer reassembles the packet, a buffer overflow can occur, which

often cause a system crash.

Detect method

- Detect whether received packets are fragmented ICMP

packets.

TCP Tiny fragment attack

Use the IP fragmentation to create extremely small fragments and force the TCP

header information into a separate packet fragment to pass through the check

function of the router and issue an attack.

Detect method

- Check whether the packets are TCP tiny fragment packets.

Example

This example shows how to enable defense for all attack types.

DXS-3600-32S#configure terminal

DXS-3600-32S(config)#defense enable

Success

DXS-3600-32S(config)#

Example

This example shows how to enable defense land attack.

DXS-3600-32S#configure terminal

DXS-3600-32S(config)#defense land enable

Success

DXS-3600-32S(config)#