Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

992

Brocade Mobility RFS Controller CLI Reference Guide

53-1003098-01

14

ip dos tcp-max-incomplete [high|low] <1-1000>

ip tcp adjust-mss <472-1460>

ip tcp [optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|

validate-icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]

Example

rfs7000-37FABE(config-rw-policy-test)#ip dos fraggle drop-only

tcp-fin-scan

Optional. A FIN scan finds services on ports. A closed port returns a RST. This allows the attacker to
identify open ports.

tcp-intercept

Optional. Prevents TCP intercept attacks by using TCP SYN cookies

tcp-null-scan

Optional. A TCP null scan finds services on ports. A closed port returns a RST. This allows the attacker to
identify open ports

tcp-post-syn

Optional. Enables a TCP post SYN DoS attack

tcp-sequence-past-window

Optional. Enables a TCP SEQUENCE PAST WINDOW DoS attack check. Disable this check to work around a
bug in Windows XP's TCP stack which sends data past the window when conducting a selective ACK.

tcp-xmas-scan

Optional. A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows the attacker to
identify open ports.

tcphdrfrag

Optional. A DoS attack where the TCP header spans IP fragments

twinge

Optional. A twinge attack is a flood of false ICMP packets to try and slow down a system

udp-short-hdr

Optional. Enables the identification of truncated UDP headers and UDP header length fields

winnuke

Optional. This DoS attack is specific to Windows™ 95 and Windows™ NT, causing devices to crash with a
blue screen

drop-only

Optional. Drops a packet without logging

dos

Identifies IP events as DoS events

tcp-max-incomplete

Sets the limits for the maximum number of incomplete TCP connections

high

Sets the upper limit for the maximum number of incomplete TCP connections

low

Sets the lower limit for the maximum number of incomplete TCP connections

<1-1000>

Sets the range limit from 1 - 1000 connections

tcp

Identifies and configures TCP events and configuration items

adjust-mss

Adjusts the TCP Maximum Segment Size (MSS). Use this option to adjust the MSS for TCP segments on
the router.

<472-1460>

Sets the TCP MSS value from 472 - 1460 bytes. The default is 472 bytes.

tcp

Identifies and configures TCP events and configuration items

optimize-unnecessary-resend
s

Enables the validation of unnecessary TCP packets

recreate-flow-on-out-of-state-s
ync

Allows a TCP SYN packet to delete an old flow in TCP_FIN_FIN_STATE, and TCP_CLOSED_STATE states and
create a new flow

validate-icpm-unreachable

Enables the validation of the sequence number in ICMP unreachable error packets, which abort an
established TCP flow

validate-rst-ack-number

Enables the validation of the acknowledgment number in RST packets, which abort a TCP flow

validate-rst-seq-number

Enables the validation of the sequence number in RST packets, which abort an established TCP flow