Home » D-Link Manuals » Wireless » D-Link DGS-1250 » Manual Viewer

D-Link DGS-1250 User Manual - Page 233

DoS Attack Prevention Settings, TCP SYN SrcPort Less 1024

Add to My Manuals
Save this manual to your list of manuals

Page 233 highlights

DGS-1250 Series Gigabit Ethernet Smart Managed Switch Web UI Reference Guide The additional fields that can be configured in Storm Control Port Settings are described below: Parameter Level Rise Level Low Description Enter the rise level value used here. This option specifies the rise threshold value as a percentage of the total bandwidth per port at which traffic is received on the port. This value must be between 0% and 100%. Enter the low level value used here. This option specifies the low threshold value as a percentage of the total bandwidth per port at which traffic is received on the port. This value must be between 0% and 100%. If the low level is not specified, the default value is 80% of the specified risen level. Click the Apply button to accept the changes made. DoS Attack Prevention Settings This window is used to display and configure the Denial-of-Service (DoS) attack prevention settings. The following well-known DoS types that can be detected by most Switches: • Land Attack: This type of attack involves IP packets where the source and destination address are set to the address of the target device. It may cause the target device to reply to itself continuously. • Blat Attack: This type of attack will send packets with the TCP/UDP source port equal to the destination port of the target device. It may cause the target device to respond to itself. • TCP-Null: This type of attack involves port scanning by using specific packets that contain a sequence number of 0 and no flags. • TCP-Xmas: This type of attack involves port scanning by using specific packets that contain a sequence number of 0 and the Urgent (URG), Push (PSH), and FIN flags. • TCP SYN-FIN: This type of attack involves port scanning by using specific packets that contain SYN and FIN flags. • TCP SYN SrcPort Less 1024: This type of attack involves port scanning by using specific packets that contain source port 0 to 1023 and SYN flag. • Ping of Death Attack: A ping of death is a type of attack on a computer that involves sending a malformed or otherwise a malicious ping to a computer. A ping is normally 64 bytes in size (many computers cannot handle a ping larger than the maximum IP packet size which is 65535 bytes). The sending of a ping of this size can crash the target computer. Traditionally, this bug has been relatively easy to exploit. Generally, sending a 65536 byte ping packet is illegal according to networking protocol, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash. • TCP Tiny Fragment Attack: The Tiny TCP Fragment attacker uses IP fragmentation to create extremely small fragments and force the TCP header information into a separate packet fragment to pass through the check function of the router and issue an attack. • Smurf Attack: Smurf is a Distributed Denial of Service (DDoS) attack that enables and executes the DDoS.Smurf malware. Smurf attacks are in a way similar to ping floods, as both are carried out by sending a lot of ICMP Echo request packets. Smurf, however, is an amplification attack vector that boosts its damage potential by exploiting the characteristics of broadcast networks. • TCP Flag SYN RST - The TCP SYN/RESET flood is a DDoS attack that exploits part of the normal TCP threeway handshake to consume more resources on targeted nodes to render them unresponsive. TCP connection requests are sent faster than the targeted machine can process, resulting in network traffic saturation. • All Types: All of above types. 224

Section	Page
1. Introduction	10
Audience	10
Other Documentation	10
Conventions	10
Notes, Notices, and Cautions	11
2. Web-based Switch Configuration	12
Management Options	12
Logging into the Web UI	13
Smart Wizard	14
Step 1 - Web Mode	14
Step 2 - System IP Information	15
Step 3 - User Accounts Settings	16
Step 4 - SNMP Settings	17
Web User Interface (Web UI)	18
Areas of the User Interface	18
Standard Mode	18
Surveillance Mode	19
3. System	21
Device Information	21
System Information Settings	22
Peripheral Settings	22
Port Configuration	23
Port Settings	23
Port Status	25
Port Auto Negotiation	25
Error Disable Settings	26
Jumbo Frame	27
Interface Description	28
PoE	28
PoE System	29
PoE Status	30
PoE Configuration	30
PD Alive	32
PoE Statistics	33
PoE Measurement	33
PoE LLDP Classification	34
System Log	34
System Log Settings	34
System Log Discriminator Settings	35
System Log Server Settings	36
System Log	37
System Attack Log	38
Time and SNTP	38
Clock Settings	38
Time Zone Settings	39
SNTP Settings	41
Time Range	42
4. Management	43
User Accounts Settings	43
SNMP	44
SNMP Global Settings	45
SNMP Linkchange Trap Settings	46
SNMP View Table Settings	47
SNMP Community Table Settings	47
SNMP Group Table Settings	49
SNMP Engine ID Local Settings	50
SNMP User Table Settings	50
SNMP Host Table Settings	52
RMON	53
RMON Global Settings	53
RMON Statistics Settings	53
RMON History Settings	54
RMON Alarm Settings	55
RMON Event Settings	56
Telnet/Web	57
Session Timeout	57
DHCP	58
Service DHCP	58
DHCP Class Settings	59
DHCP Relay	60
DHCP Relay Global Settings	60
DHCP Relay Pool Settings	60
DHCP Relay Information Settings	63
DHCP Relay Information Option Format Settings	64
DHCP Local Relay VLAN Settings	65
DHCPv6 Relay	66
DHCPv6 Relay Global Settings	66
DHCPv6 Relay Interface Settings	67
DHCPv6 Relay Remote ID Profile Settings	68
DHCPv6 Relay Format Type Settings	70
DHCPv6 Local Relay VLAN Settings	70
DHCP Auto Configuration	71
DNS	71
DNS Global Settings	71
DNS Name Server Settings	72
DNS Host Settings	73
File System	73
D-Link Discovery Protocol	76
5. Layer 2 Features	77
FDB	77
Static FDB	77
Unicast Static FDB	77
MAC Address Table Settings	78
MAC Address Table	79
MAC Notification	80
VLAN	81
VLAN Configuration Wizard	81
Create/Configure VLAN	81
802.1Q VLAN	84
VLAN Interface	85
VLAN Interface Settings	85
Port Summary	88
Asymmetric VLAN	88
L2VLAN Interface Description	89
Auto Surveillance VLAN	89
Auto Surveillance Properties	89
MAC Settings and Surveillance Device	91
ONVIF IP-Camera Information	92
ONVIF NVR Information	94
Voice VLAN	95
Voice VLAN Global	95
Voice VLAN Port	96
Voice VLAN OUI	97
Voice VLAN Device	97
Voice VLAN LLDP-MED Device	98
STP	98
STP Global Settings	100
STP Port Settings	102
MST Configuration Identification	103
STP Instance	104
MSTP Port Information	105
Loopback Detection	105
Link Aggregation	106
L2 Multicast Control	111
IGMP Snooping	111
IGMP Snooping Settings	111
IGMP Snooping Groups Settings	113
IGMP Snooping Mrouter Settings	114
IGMP Snooping Statistics Settings	115
MLD Snooping	116
MLD Snooping Settings	117
MLD Snooping Groups Settings	119
MLD Snooping Mrouter Settings	120
MLD Snooping Statistics Settings	121
Multicast Filtering Mode	122
LLDP	123
LLDP Global Settings	123
LLDP Port Settings	124
LLDP Management Address List	125
LLDP Basic TLVs Settings	125
LLDP Dot1 TLVs Settings	127
LLDP Dot3 TLVs Settings	128
LLDP-MED Port Settings	129
LLDP Statistics Information	130
LLDP Local Port Information	131
LLDP Neighbor Port Information	132
6. Layer 3 Features	135
ARP	135
ARP Aging Time	135
Static ARP	136
ARP Table	136
Gratuitous ARP	137
IPv6 Neighbor	138
Interface	138
IPv4 Interface	138
IPv6 Interface	140
IPv4 Static/Default Route	143
IPv4 Route Table	145
IPv6 Static/Default Route	145
IPv6 Route Table	146
IP Multicast Routing Protocol	147
IPMC	147
IP Multicast Routing Forwarding Cache Table	147
IPv6MC	147
IPv6 Multicast Routing Forwarding Cache Table	147
7. Quality of Service (QoS)	149
Basic Settings	149
Port Default CoS	149
Port Scheduler Method	150
Queue Settings	151
CoS to Queue Mapping	152
Port Rate Limiting	152
Queue Rate Limiting	153
Advanced Settings	154
DSCP Mutation Map	154
Port Trust State and Mutation Binding	156
DSCP CoS Mapping	157
Class Map	157
Policy Map	159
Policy Binding	161
8. Access Control List (ACL)	162
ACL Configuration Wizard	162
Step 1 - Create/Update	162
Step 2 - Select Packet Type	163
Step 3 - Add Rule	164
MAC	164
IPv4	166
IPv6	169
Step 4 - Apply Port	171
ACL Access List	172
Standard IP ACL	174
Extended IP ACL	175
Standard IPv6 ACL	177
Extended IPv6 ACL	178
Extended MAC ACL	180
ACL Interface Access Group	182
9. Security	184
Port Security	184
Port Security Global Settings	184
Port Security Port Settings	185
Port Security Address Entries	186
802.1X	186
802.1X Global Settings	191
802.1X Port Settings	192
Authentication Sessions Information	193
Authenticator Statistics	193
Authenticator Session Statistics	194
Authenticator Diagnostics	195
AAA	196
AAA Global Settings	196
Authentication Settings	196
RADIUS	197
RADIUS Global Settings	197
RADIUS Server Settings	197
RADIUS Group Server Settings	198
RADIUS Statistic	199
IMPB	200
IPv4	200
DHCPv4 Snooping	200
Dynamic ARP Inspection	204
IP Source Guard	209
Advanced Settings	211
IPv6	213
IPv6 Snooping	213
IPv6 ND Inspection	214
IPv6 RA Guard	215
IPv6 DHCP Guard	216
IPv6 Source Guard	217
DHCP Server Screening	219
DHCP Server Screening Global Settings	219
DHCP Server Screening Port Settings	220
ARP Spoofing Prevention	221
Network Access Authentication	222
Guest VLAN	222
Network Access Authentication Global Settings	222
Network Access Authentication Port Settings	224
Network Access Authentication Sessions Information	225
Safeguard Engine	225
Safeguard Engine Settings	227
CPU Protect Counters	227
CPU Protect Sub-Interface	228
CPU Protect Type	229
Trusted Host	229
Traffic Segmentation Settings	230
Storm Control Settings	231
DoS Attack Prevention Settings	233
SSH	234
SSH Global Settings	235
Host Key	236
SSH Server Connection	237
SSH User Settings	237
SSL	238
SSL Global Settings	239
Crypto PKI Trustpoint	240
SSL Service Policy	241
Network Protocol Port Protect Settings	242
10. OAM	243
Cable Diagnostics	243
11. Monitoring	245
Utilization	245
Port Utilization	245
Statistics	246
Port	246
Interface Counters	247
Counters	249
Mirror Settings	250
Device Environment	252
12. Green	253
Power Saving	253
EEE	255
13. Toolbar	256
Save	256
Save Configuration	256
Tools	256
Firmware Upgrade & Backup	256
Firmware Upgrade from HTTP	256
Firmware Upgrade from TFTP	257
Firmware Backup to HTTP	257
Firmware Backup to TFTP	258
Configuration Restore & Backup	258
Configuration Restore from HTTP	258
Configuration Restore from TFTP	259
Configuration Backup to HTTP	260
Configuration Backup to TFTP	260
Certificate & Key Restore & Backup	261
Certificate & Key Restore from HTTP	261
Certificate & Key Restore from TFTP	261
Public Key Backup to HTTP	262
Public Key Backup to TFTP	262
Log Backup	263
Log Backup to HTTP	263
Log Backup to TFTP	263
Ping	264
Language Management	265
Reset	266
Reboot System	266
Wizard	267
Online Help	267
D-Link Support Site	267
User Guide	267
Surveillance Mode	267
Logout	268
14. Surveillance Mode	269
Surveillance Overview	269
Surveillance Topology	269
Device Information	272
Port Information	273
Group Details	274
IP-Camera Information	275
NVR Information	276
PoE Information	277
PoE Scheduling	278
Management	279
File System	279
Time	281
Clock Settings	281
SNTP Settings	282
Surveillance Settings	283
Surveillance Log	284
Health Diagnostic	285
Toolbar	286
Wizard	286
Tools	286
Firmware Upgrade & Backup	286
Configuration Restore & Backup	287
Language Management	288
Reset	289
Reboot System	289
Save	290
Save Configuration	290
Help	291
Online Help	292
D-Link Support Site	292
User Guide	292
Standard Mode	292
Logout	292
Appendix A - System Log Entries	293
802.1X	293
AAA	293
Auto Surveillance VLAN	294
Configuration/Firmware	295
DAI	298
DHCPv6 Client	298
DHCPv6 Relay	299
DoS Prevention	299
DNS Resolver	299
Interface	299
IPv6 Duplicate Address	300
LACP	300
LBD	301
LLDP/LLDP-MED	301
Login/Logout	303
MSTP Debug Enhancement	304
Peripheral	306
PoE	306
Port Security	307
Safeguard	307
SNMP	307
SSH	307
Storm Control	308
System	308
Telnet	308
Voice VLAN	309
Web	309
Appendix B - Trap Entries	311
802.1X	311
Authentication Fail	311
DHCP Server Screen Prevention	311
DoS Prevention	312
ErrDisable	312
General Management	312
Gratuitous ARP	312
IMPB	312
LACP	313
LBD	313
LLDP	314
MAC Notification	314
MSTP	314
PD Alive	314
Peripheral	315
PoE	315
Port	316
Port Security	316
RMON	316
Safeguard	317
Start	317
Storm Control	317
System File	317
Appendix C - RADIUS Attributes Assignment	319

Match case Limit results 1 per page

DGS-1250 Series Gigabit Ethernet Smart Managed Switch Web UI Reference Guide

224

The additional fields that can be configured in

Storm Control Port Settings

are described below:

Parameter

Description

Level Rise

Enter the rise level value used here. This option specifies the rise threshold value

as a percentage of the total bandwidth per port at which traffic is received on the

port. This value must be between 0% and 100%.

Level Low

Enter the low level value used here. This option specifies the low threshold value

as a percentage of the total bandwidth per port at which traffic is received on the

port. This value must be between 0% and 100%. If the low level is not specified,

the default value is 80% of the specified risen level.

Click the

Apply

button to accept the changes made.

DoS Attack Prevention Settings

This window is used to display and configure the Denial-of-Service (DoS) attack prevention settings. The following

well-known DoS types that can be detected by most Switches:

•

Land Attack:

This type of attack involves IP packets where the source and destination address are set to the

address of the target device. It may cause the target device to reply to itself continuously.

•

Blat Attack

: This type of attack will send packets with the TCP/UDP source port equal to the destination port of

the target device. It may cause the target device to respond to itself.

•

TCP-Null:

This type of attack involves port scanning by using specific packets that contain a sequence number

of 0 and no flags.

•

TCP-Xmas:

This type of attack involves port scanning by using specific packets that contain a sequence

number of 0 and the Urgent (URG), Push (PSH), and FIN flags.

•

TCP SYN-FIN:

This type of attack involves port scanning by using specific packets that contain SYN and FIN

flags.

•

TCP SYN SrcPort Less 1024:

This type of attack involves port scanning by using specific packets that contain

source port 0 to 1023 and SYN flag.

•

Ping of Death Attack:

A ping of death is a type of attack on a computer that involves sending a malformed or

otherwise a malicious ping to a computer. A ping is normally 64 bytes in size (many computers cannot handle a

ping larger than the maximum IP packet size which is 65535 bytes). The sending of a ping of this size can crash

the target computer. Traditionally, this bug has been relatively easy to exploit. Generally, sending a 65536 byte

ping packet is illegal according to networking protocol, but a packet of such a size can be sent if it is

fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes

a system crash.

•

TCP Tiny Fragment Attack:

The Tiny TCP Fragment attacker uses IP fragmentation to create extremely small

fragments and force the TCP header information into a separate packet fragment to pass through the check

function of the router and issue an attack.

•

Smurf Attack:

Smurf is a Distributed Denial of Service (DDoS) attack that enables and executes the

DDoS.Smurf malware. Smurf attacks are in a way similar to ping floods, as both are carried out by sending a lot

of ICMP Echo request packets. Smurf, however, is an amplification attack vector that boosts its damage

potential by exploiting the characteristics of broadcast networks.

•

TCP Flag SYN RST

- The TCP SYN/RESET flood is a DDoS attack that exploits part of the normal TCP three-

way handshake to consume more resources on targeted nodes to render them unresponsive. TCP connection

requests are sent faster than the targeted machine can process, resulting in network traffic saturation.

•

All Types:

All of above types.