Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

Brocade Mobility RFS Controller CLI Reference Guide

999

53-1003098-01

14

no ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|

invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-so

licit|

smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-pos

t-syn|

tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuk

e}

stateless-fin-or-reset

Disables the timeout for TCP flows in stateless FIN or RST status

stateless-general

Disables the timeout for TCP flows in general stateless states

no ip

Disables IP events

dos

Disables IP DoS events

ascend

Optional. Disables an ASCEND DoS check
Ascend routers listen on UDP port 9 for packets from Ascend's Java Configurator. Sending a
formatted packet to this port can cause an Ascend router to crash.

broacast-multicast-icmp

Optional. Disables the detection of broadcast or multicast ICMP packets as an attack

chargen

Optional. Disables the chargen service
The Character Generation Protocol (chargen) is an IP suite service primarily used for testing and
debugging networks. It is also used as a generic payload for bandwidth and QoS measurements.

fraggle

Optional. Disables checking for Fraggle DoS attacks. This checks for UDP packets to or from port 7 or
19

ftp-bounce

Optional. Disables FTP bounce attack checks
A FTP bounce attack is a MIM attack that enables an attacker to open a port on a different machine
using FTP. FTP requires that when a connection is requested by a client on the FTP port (21), another
connection must open between the server and the client. To confirm, the PORT command has the
client specify an arbitrary destination machine and port for the data connection. This is exploited by
the attacker to gain access to a device that may not be the originating client.

invalid-protocol

Optional. Disables a check for invalid protocol number

ip-ttl-zero

Optional. Disables a check for the TCP/IP TTL field with a value of Zero (0)

ipsproof

Optional. Disables IP spoofing DoS attack checks

land

Optional. Disables LAND attack checks
Local Area Network Denial (LAND) is a DoS attack where IP packets are spoofed and sent to a device
where the source IP and destination IP of the packet are the target device’s IP, and similarly, the
source port and destination port are open ports on the same device. This causes the attacked
device to reply to itself continuously.

option-route

Optional. Disables an IP Option Record Route DoS check

router-advt

Optional. Disables router-advt attack checks
This is an attack where a default route entry is added remotely to a device. This route entry is given
preference, and thereby exposes a vector of attacks.

router-solicit

Optional. Disables router-solicit attack checks
Router solicitation messages are sent to locate routers as a form of network scanning. This
information can then be used to attack a device.

smurf

Optional. Disables smurf attack checks
In this attack, a large number of ICMP echo packets are sent with a spoofed source address. This
causes the device with the spoofed source address to be flooded with a large number of replies.