3 dos-control tcpfrag, 4 dos-control tcpflag, 5 dos-control l4port – Kontron AT8402 CLI User Manual

Switching Commands

AT8402

AT8402 CLI Reference Manual

Page 2 - 76

2.18.3

dos-control tcpfrag

This command enables TCP Fragment Denial of Service protection. If the mode is
enabled, Denial of Service prevention is active for this type of attack. If packets ingress
having IP Fragment Offset equal to one (1), the packets will be dropped if the mode is
enabled.

Default

disabled

Format

dos-control tcpfrag

Mode

Global Config

2.18.3.1

no dos-control tcpfrag

This command disabled TCP Fragment Denial of Service protection.

Format

no storm-control broadcast all

Mode

Global Config

2.18.4

dos-control tcpflag

This command enables TCP Flag Denial of Service protections. If the mode is enabled,
Denial of Service prevention is active for this type of attacks. If packets ingress having
TCP Flag SYN set and a source port less than 1024 or having TCP Control Flags set to
0 and TCP Sequence Number set to 0 or having TCP Flags FIN, URG, and PSH set and
TCP Sequence Number set to 0 or having TCP Flags SYN and FIN both set, the
packets will be dropped if the mode is enabled.

Default

disabled

Format

dos-control tcpflag

Mode

Global Config

2.18.4.1

no dos-control tcpflag

This command sets disables TCP Flag Denial of Service protections.

Format

no dos-control tcpflag

Mode

Global Config

2.18.5

dos-control l4port

This command enables L4 Port Denial of Service protections. If the mode is enabled,
Denial of Service prevention is active for this type of attack. If packets ingress having
Source TCP/UDP Port Number equal to Destination TCP/UDP Port Number, the
packets will be dropped if the mode is enabled.

NOTE: Some applications mirror source and destination L4 ports - RIP for

example uses 520 for both. If you enable dos-control l4port, applica-
tions such as RIP may experience packet loss which would render the
application inoperable.

Default

disabled

Format

dos-control l4port