Denial of Service (DoS) Martian Address Configuration on 300 Series Managed Switches

Objective

A Denial of Service (DoS) attack floods a network with false traffic. This draws network server resources away from legitimate users. DoS Attack Prevention blocks the entrance of packets within a certain IP address range. Martian addresses are IP addresses that are rejected by the switch. If a packet with a Martian address is received by the switch, the packet is discarded. Martian addresses are only supported in IPv4 format. This article explains how to configure Martian addresses on a 300 Series Managed Switch.

Note: Martian addresses can only be used if DoS Prevention is enabled.  Refer to the article Security Suite Settings on 300 Series Managed Switches for help.

Applicable Devices

• SF/SG 300 Series Managed Switches

Software Version

• 1.3.0.62

Martian Addresses Configuration

Step 1. Log in to the web configuration utility and choose Security > Denial of Service Prevention > Martian Addresses. The Martian Addresses page opens:

Step 2. (Optional) Check Include in the Reserved Martian Addresses field to include the default reserved Martian addresses in the Martian Address Table.  Skip to Step 4 if you do not want to include the reserved Martian addresses.

Step 3. Click Apply to display the default reserved addresses in the Martian Address Table. These IP addresses are reserved by the Internet Assigned Numbers Authority for special use only. The reserved Martian addresses are:

• 0.0.0.0/8 — Address range used as a source address until the host learns its own IP address.

• 127.0.0.0/8 — Address range for internet loopback, which is used for network test purposes.

• 192.0.2.0/24 — Address range is assigned as TEST-NET-1 for use as examples in online documents and examples.

• 224.0.0.0/4 — Address range is reserved for IPv4 multicast. Was formerly referred to as Class D Address Space when classful addressing was used.

• 240.0.0.0/4 — Address range is reserved for future use and was formerly referred to as Class E.

Step 4. Click Add to add a new Martian address.  The Add Martian Addresses window appears.

Step 5. Click the radio button that corresponds with the desired IP address to reject in the IP Address field.

• From Reserved List — Choose an IP address from the drop-down list.

• New IP Address — Enter a new IP address to be added to the Martian Address Table.

Step 6. Click the radio button that corresponds with the method used to define the subnet mask of the Martian address in the Mask field.  The Mask field allows you to block a range of IP addresses at once.

• Network Mask — Enter the network mask in the Network mask field.  A mask of 255.255.255.255 means only the IP address that is entered is blocked. A mask of 255.0.0.0 means any IP address with the same first octet of the entered IP address is also blocked.

• Prefix Length — Enter the prefix length (integer in the range of 0 to 32) in the Prefix length field. A prefix length of 32 means only the IP address that is entered is blocked. A prefix length of 8 means any IP address with the same first octet of the entered IP address is also blocked.

Step 7. Click Apply to save the Martian address or click Close to cancel your changes.