Denial of service defense guidelines – Allied Telesis AT-S63 User Manual

Chapter 15: Denial of Service Defense

292

Section II: Advanced Operations

containing IP options received on a port. If the number exceeds 20
packets per second, the switch considers this a possible IP options attack
and does the following occurs:

ˆ

It sends an SNMP trap to the management stations.

ˆ

The switch port discards all ingress packets containing IP options for
one minute.

This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without it impacting switch
performance.

Note

This defense does not actually check IP packets for bad IP options;
it can only alert you to a possible attack.

Denial of Service

Defense

Guidelines

Below are guidelines to observe when using this feature:

ˆ

A switch port can support more than one DoS defense at a time.

ˆ

The Teardrop and the Ping of Death defenses are CPU intensive. Use
these defenses with caution.

ˆ

Some defenses allow you to specify a mirror port where offending
traffic is copied.