security-suite dos (Global)
To enable specific Denial of Service (DoS) protections in security suite, use the security-suite dos Global Configuration mode command.
To disable specific DoS protections, use the no form of this command.
Syntax
security-suite dos {daeqsa-deny | icmp-frag-pkts-deny | icmpv4-ping-max-check | icmpv6-ping-max-check | ipv6-min-frag-size-check | land-deny | nullscan-deny | pod-deny | smurf-deny | syn-sport|1024-deny | synfin-deny | synrst-deny | tcp-frag-off-min-check | tcpblat-deny | tcphdr-min-check | udpblat-deny | xma-deny}
security-suite dos icmp-ping-max-length MAX_LEN
security-suite dos ipv6-min-frag-size-length MIN_LEN
security-suite dos smurf-netmask MASK
security-suite dos tcphdr-min-length HDR_MIN_LEN
no security-suite dos {daeqsa-deny | icmp-frag-pkts-deny | icmpv4-ping-max-check | icmpv6-ping-max-check | ipv6-min-frag-size-check | land-deny | nullscan-deny | pod-deny | smurf-deny | syn-sport|1024-deny | synfin-deny | synrst-deny | tcp-frag-off-min-check | tcpblat-deny | tcphdr-min-check | udpblat-deny | xma-deny}
Parameters
daeqsa-deny—Drops the packets if the destination MAC address equals to the source MAC address.
icmp-frag-pkts-deny—Drops the fragmented ICMP packets.
icmpv4-ping-max-check—Checks the maximum size of ICMPv4 ping packets and drops the packets larger than the maximum packet size.
icmpv6-ping-max-check—Checks the maximum size of ICMPv6 ping packets and drops the packets larger than the maximum packet size.
ipv6-min-frag-size-check—Checks the minimum size of IPv6 fragments and drops the packets smaller than the minimum size.
land-deny—Drops the packets if the source IP address equals to the destination IP address.
nullscan-deny—Drops the packets with NULL scan.
pod-deny—Avoids ping of death attack.
smurf-deny—Avoids smurf attack.
syn-sportl1024-deny—Drops SYN packets with sport less than 1024.
synfin-deny—Drops the packets with SYN and FIN bits set.
synrst-deny—Drops the packets with SYN and RST bits set.
tcp-frag-off-min-check—Drops the TCP fragment packets with offset equals to one.
tcpblat-deny—Drops TCP fragment packets with offset equals to one.
tcphdr-min-check—Checks the minimum TCP header and drops the TCP packets with the header smaller than the minimum size.
udpblat-deny—Drops the packets if the source UDP port equals to the destination UDP port.
xma-deny—Drops the packets if the sequence number is zero, and the FIN, URG and PSH bits are set.
icmp-ping-max-length MAX_LEN—Specifies the maximum size of the ICMPv4/ICMPv6 ping packets. (Range: 0 to 65535 bytes)
ipv6-min-frag-size-length MIN_LEN—Specifies the minimum size of IPv6 fragments. (Range: 0 to 65535 bytes)
smurf-netmask MASK—Specifies the netmask of smurf attack. (Netmask length range: 0 to 32 bytes)
tcphdr-min-length HDR_MIN_LEN—Specifies the minimum TCP header length. (Range: 0 to 31 bytes)
Default Configuration
All types of DoS protection are enabled in security suit by default.
The default parameters are:
-
The maximum size of ICMP ping packets is 512 bytes.
-
The minimum size of IPv6 fragments is 1240 bytes.
-
The Smurf netmask length is 0 bytes.
-
The minimum TCP header length is 20 bytes.
Command Mode
Global Configuration mode
Example
The following example enables checking the minimum size of IPv6 fragments and sets the minimum fragment size to 1000 bytes:
switchxxxxxx(config)# security-suite dos ipv6-min-frag-size-check
switchxxxxxx(config)# security-suite dos ipv6-min-frag-size-length 1000