Denial of service defense guidelines – Allied Telesis AT-S63 User Manual
Page 292
Chapter 15: Denial of Service Defense
292
Section II: Advanced Operations
containing IP options received on a port. If the number exceeds 20
packets per second, the switch considers this a possible IP options attack
and does the following occurs:
It sends an SNMP trap to the management stations.
The switch port discards all ingress packets containing IP options for
one minute.
This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without it impacting switch
performance.
Note
This defense does not actually check IP packets for bad IP options;
it can only alert you to a possible attack.
Denial of Service
Defense
Guidelines
Below are guidelines to observe when using this feature:
A switch port can support more than one DoS defense at a time.
The Teardrop and the Ping of Death defenses are CPU intensive. Use
these defenses with caution.
Some defenses allow you to specify a mirror port where offending
traffic is copied.