D-Link DGS-1250 Emulator - Page 172

DGS-1250 Series Gigabit Ethernet Smart Managed Switch CLI Reference Guide 22. DoS Prevention Commands 22-1 dos-prevention This command is used to enable and configure the DoS prevention mechanism. Use the no form of this command to reset DoS prevention to the default setting. dos-prevention DOS-ATTACK-TYPE no dos-prevention DOS-ATTACK-TYPE Parameters DOS-ATTACK-TYPE Specifies the string that identifies the DoS type to be configured. Default By default all supported DoS types are disabled. Command Mode Global Configuration Mode. Usage Guideline Use the dos-prevention DOS-ATTACK-TYPE command to enabled and configure the DoS prevention mechanism for a specific DoS attack type or for all supported types. The DoS prevention mechanisms (matching and taking action) are hardware-based features. When DoS prevention is enabled, the Switch will log the event if any attack packet was received. Use the no dos-prevention all command to disable the DoS prevention mechanism for all supported types. All the related settings will be reverted back to the default for the specified attack types. The following well-known DoS types which can be detected by most switches:  Blat - This type of attack will send packets with TCP/UDP source port equals to destination port to the target device. It may cause the target device respond to itself.  Land - A LAND attack involves with IP packets where the source and destination address are set to address of the target device. It may cause the target device reply to itself continuously.  TCP-NULL-scan: Port scanning by using specific packets, which contain a sequence number of 0 and no flags.  TCP-SYN-fin - Port scanning by using specific packets, which contain SYN and FIN flags.  TCP-SYN-SRCport-less-1024: Port scanning by using specific packets, which contain source port 0-1023 and SYN flag.  TCP-xmas-scan - Port scanning by using specific packets, which contain a sequence number of 0 and the Urgent (URG), Push (PSH), and FIN flags.  Ping-death - A ping of death is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 64 bytes in size; many computers cannot handle a ping larger than the maximum IP packet size, which is 65,535 bytes. Sending a ping of this size can crash the target computer. Traditionally, this bug has been relatively easy to exploit. Generally, sending a 65536 byte ping packet is illegal according to networking protocol, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often cause a system crash.  TCP-tiny-frag - Tiny TCP Fragment attacker uses the IP fragmentation to create extremely small fragments and force the TCP header information into a separate packet fragment to pass through the check function of the router and issue an attack.  Smurf - Attacker sends a large amount of ICMP request packets to IP broadcast address, the source IP address of the attacking packets equals to the victim's IP address. If the router delivers traffic to the IP broadcast address, all hosts in that IP network will reply ICMP to the victim's IP address.  tcp-syn-rst - A TCP packet with the TCP SYN and RST flags which are both illegal and potentially a security threat.  All - All of above types. 169