Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

988

Brocade Mobility RFS Controller CLI Reference Guide

53-1003098-01

14

ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|

invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-so

licit|

smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-pos

t-scan|

tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuk

e}

[log-and-drop|log-only] log-level

[<0-7>|alerts|critical|debug|emergencies|errors|

informational|notifications|warnings]

dos

Identifies IP events as DoS events

ascend

Optional. Detects ASCEND DoS attacks
Ascend DoS attacks target known vulnerabilities in various versions of Ascend routers. Ascend routers
listen on UDP port 9 for packets from Ascend's Java Configurator. Sending a formatted packet to this port
can cause an Ascend router to crash.

broadcast-multicast-icmp

Optional. Detects broadcast or multicast ICMP Dos attacks
Broadcast or multicast ICMP DoS attacks take advantage of ICMP behavior in response to echo replies.
These attacks spoof the source address of the target and send ICMP broadcast or multicast echo
requests to the rest of the network, flooding the target machine with replies.

chargen

Optional. Detects Chargen attacks
The Character Generation Protocol (chargen) is an IP suite service primarily used for testing and
debugging networks. It is also used as a source of generic payload for bandwidth and QoS measurements.
The Chargen attack establishes a Telnet connection to port 19 and attempts to use the character
generator service to create a string of characters which is then directed to the DNS service on port 53 to
disrupt DNS services.

fraggle

Optional. Detects Fraggle DoS attacks
The Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each
broadcast address' echo port (port 7). Each of those addresses that have port 7 open will respond to the
request generating a lot of traffic on the network. For those that do not have port 7 open they will send an
unreachable message back to the originator, further clogging the network with more traffic.

ftp-bounce

Optional. Detects FTP bounce attacks
A FTP bounce attack is a MIM attack that enables an attacker to open a port on a different machine using
FTP. FTP requires that when a connection is requested by a client on the FTP port (21), another
connection must open between the server and the client. To confirm, the PORT command has the client
specify an arbitrary destination machine and port for the data connection. This is exploited by the attacker
to gain access to a device that may not be the originating client.

invalid-protocol

Optional. Enables a check for an invalid protocol number
Attackers may use vulnerability in the endpoint implementation by sending invalid protocol fields, or may
misuse the misinterpretation of endpoint software. This can lead to inadvertent leakage of sensitive
network topology information, call hijacking, or a DoS attack.

ip-ttl-zero

Optional. Enables a check for the TCP/IP TTL field having a value of zero (0)
The TCP IP TTL Zero DoS attack sends spoofed multicast packets onto the network which have a Time to
Live (TTL) of 0. This causes packets to loop back to the spoofed originating machine, and can cause the
network to overload.

ipsproof

Optional. Enables a check for the IP spoofing DoS attacks
IP Spoof is a category of DoS attack that sends IP packets with forged source addresses. This can hide the
identity of the attacker.

land

Optional. Detects LAND DoS attacks
A Local Area Network Denial (LAND) is a DoS attack where IP packets are spoofed and sent to a device
where the source IP and destination IP of the packet are the target device’s IP, and similarly, the source
port and destination port are open ports on the same device. This causes the attacked device to reply to
itself continuously.