Denial of Service Commands

NOTE: Denial of Service (DataPlane) is supported on XGS-III and later platforms only.

This section describes the commands you use to configure Denial of Service (DoS) Control. TEJOS software provides support for classifying and blocking specific types of Denial of Service attacks. You can configure your system to monitor and block these types of attacks:

• SIP = DIP: Source IP address = Destination IP address.
• First Fragment: TCP Header size smaller then configured value.
• TCP Fragment: IP Fragment Offset = 1.
• TCP Flag: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and TCP Sequence Number = 0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set.
• L4 Port: Source TCP/UDP Port = Destination TCP/UDP Port.
• ICMP: Limiting the size of ICMP Ping packets.
• SMAC = DMAC: Source MAC address = Destination MAC address.
• TCP Port: Source TCP Port = Destination TCP Port.
• UDP Port: Source UDP Port = Destination UDP Port.
• TCP Flag & Sequence: TCP Flag SYN set and Source Port < 1024 or TCP Control Flags = 0 and TCP Sequence Number = 0 or TCP Flags FIN, URG, and PSH set and TCP Sequence Number = 0 or TCP Flags SYN and FIN set.
• TCP Offset: TCP Header Offset = 1.
• TCP SYN: TCP Flag SYN set.
• TCP SYN & FIN: TCP Flags SYN and FIN set.
• TCP FIN & URG & PSH: TCP Flags FIN and URG and PSH set and TCP Sequence Number = 0.
• ICMP V6: Limiting the size of ICMPv6 Ping packets.
• ICMP Fragment: Checks for fragmented ICMP packets.

dos-control all

This command enables Denial of Service protection checks globally.

• Default: disabled
• Format: dos-control all
• Mode: Global Config

no dos-control all

This command disables Denial of Service prevention checks globally.

• Format: no dos-control all
• Mode: Global Config

dos-control sipdip

This command enables Source IP address = Destination IP address (SIP = DIP) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with SIP = DIP, the packets will be dropped if the mode is enabled.

• Default: disabled
• Format: dos-control sipdip
• Mode: Global Config

no dos-control sipdip

This command disables Source IP address = Destination IP address (SIP = DIP) Denial of Service prevention.

• Format: no dos-control sipdip
• Mode: Global Config

dos-control firstfrag

This command enables Minimum TCP Header Size Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having a TCP Header Size smaller then the configured value, the packets will be dropped if the mode is enabled.The default is <disabled> If you enable dos-control firstfrag, but do not provide a Minimum TCP Header Size, the system sets that value to 20.

• Default: disabled (20)
• Format: dos-control firstfrag [<0-255>]
• Mode: Global Config

no dos-control firstfrag

This command sets Minimum TCP Header Size Denial of Service protection to the default value of <disabled> .

• Format: no dos-control firstfrag
• Mode: Global Config

dos-control tcpfrag

This command enables TCP Fragment Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having IP Fragment Offset equal to one (1), the packets will be dropped if the mode is enabled.

• Default: disabled
• Format: dos-control tcpfrag
• Mode: Global Config

no dos-control tcpfrag

This command disabled TCP Fragment Denial of Service protection.

• Format: no dos-control tcpfrag
• Mode: Global Config

dos-control tcpflag

This command enables TCP Flag Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attacks. If packets ingress having TCP Flag SYN set and a source port less than 1024 or having TCP Control Flags set to 0 and TCP Sequence Number set to 0 or having TCP Flags FIN, URG, and PSH set and TCP Sequence Number set to 0 or having TCP Flags SYN and FIN both set, the packets will be dropped if the mode is enabled.

• Default: disabled
• Format: dos-control tcpflag
• Mode: Global Config

no dos-control tcpflag

This command sets disables TCP Flag Denial of Service protections.

• Format: no dos-control tcpflag
• Mode: Global Config

dos-control l4port

This command enables L4 Port Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having Source TCP/UDP Port Number equal to Destination TCP/UDP Port Number, the packets will be dropped if the mode is enabled.

NOTE: Some applications mirror source and destination L4 ports - RIP for example uses 520 for both.If you enable dos-control l4port, applications such as RIP may experience packet loss which would render the application inoperable.

• Default: disabled
• Format: dos-control l4port
• Mode: Global Config

no dos-control l4port

This command disables L4 Port Denial of Service protections.

• Format: no dos-control l4port
• Mode: Global Config

dos-control smacdmac

This command enables Source MAC address = Destination MAC address (SMAC = DMAC) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with SMAC = DMAC, the packets will be dropped if the mode is enabled.

• Default: disabled
• Format: dos-control smacdmac
• Mode: Global Config

no dos-control smacdmac

This command disables Source MAC address = Destination MAC address (SMAC = DMAC) DoS protection.

• Format: no dos-control smacdmac
• Mode: Global Config

dos-control tcpport

This command enables TCP L4 source = destination port number (Source TCP Port = Destination TCP Port) Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with Source TCP Port = Destination TCP Port, the packets will be dropped if the mode is enabled.

• Default: disabled
• Format: dos-control tcpport
• Mode: Global Config

no dos-control tcpport

This command disables TCP L4 source = destination port number (Source TCP Port = Destination TCP Port) Denial of Service protection.

• Format: no dos-control smacdmac
• Mode: Global Config

dos-control udpport

This command enables UDP L4 source = destination port number (Source UDP Port = Destination UDP Port) DoS protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress with Source UDP Port = Destination UDP Port, the packets will be dropped if the mode is enabled.

• Default: disabled
• Format: dos-control udpport
• Mode: Global Config

no dos-control udpport

This command disables UDP L4 source = destination port number (Source UDP Port = Destination UDP Port) Denial of Service protection.

• Format: no dos-control udpport
• Mode: Global Config

dos-control tcpflagseq

This command enables TCP Flag and Sequence Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP Flag SYN set and a source port less than 1024 or having TCP Control Flags set to 0 and TCP Sequence Number set to 0 or having TCP Flags FIN,URG, and PSH set and TCP Sequence Number set to 0 or having TCP Flags SYN and FIN both set, the packets will be dropped if the mode is enabled.

• Default: disabled
• Format: dos-control tcpflagseq
• Mode: Global Config

no dos-control tcpflagseq

This command sets disables TCP Flag and Sequence Denial of Service protection.

• Format: no dos-control tcpflagseq
• Mode: Global Config

dos-control tcpoffset

This command enables TCP Offset Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP Header Offset equal to one (1), the packets will be dropped if the mode is enabled.

• Default: disabled
• Format: dos-control tcpoffset
• Mode: Global Config

no dos-control tcpoffset

This command disabled TCP Offset Denial of Service protection.

• Format: no dos-control tcpoffset
• Mode: Global Config

dos-control tcpsyn

This command enables TCP SYN and L4 source = 0-1023 Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP flag SYN set and an L4 source port from 0 to 1023, the packets will be dropped if the mode is enabled.

• Default: disabled
• Format: dos-control tcpsyn
• Mode: Global Config

no dos-control tcpsyn

This command sets disables TCP SYN and L4 source = 0-1023 Denial of Service protection.

• Format: no dos-control tcpsyn
• Mode: Global Config

dos-control tcpsynfin

This command enables TCP SYN and FIN Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP flags SYN and FIN set, the packets will be dropped if the mode is enabled.

• Default: disabled
• Format: dos-control tcpsynfin
• Mode: Global Config

no dos-control tcpsynfin

This command sets disables TCP SYN & FIN Denial of Service protection.

• Format: no dos-control tcpsynfin
• Mode: Global Config

dos-control tcpfinurgpsh

This command enables TCP FIN and URG and PSH and SEQ = 0 checking Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having TCP FIN, URG, and PSH all set and TCP Sequence Number set to 0, the packets will be dropped if the mode is enabled.

• Default: disabled
• Format: dos-control tcpfinurgpsh
• Mode: Global Config

no dos-control tcpfinurgpsh

This command sets disables TCP FIN and URG and PSH and SEQ = 0 checking Denial of Service protections.

• Format: no dos-control tcpfinurgpsh
• Mode: Global Config

dos-control icmpv4

This command enables Maximum ICMPv4 Packet Size Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If ICMPv4 Echo Request (PING) packets ingress having a size greater than the configured value, the packets will be dropped if the mode is enabled.

• Default: disabled (512)
• Format: dos-control icmpv4 <0-16384>
• Mode: Global Config

no dos-control icmpv4

This command disables Maximum ICMP Packet Size Denial of Service protections.

• Format: no dos-control icmpv4
• Mode: Global Config

dos-control icmpv6

This command enables Maximum ICMPv6 Packet Size Denial of Service protections. If the mode is enabled, Denial of Service prevention is active for this type of attack. If ICMPv6 Echo Request (PING) packets ingress having a size greater than the configured value, the packets will be dropped if the mode is enabled.

• Default: disabled (512)
• Format: dos-control icmpv6 <0-16384>
• Mode: Global Config

no dos-control icmpv6

This command disables Maximum ICMP Packet Size Denial of Service protections.

• Format: no dos-control icmpv6
• Mode: Global Config

dos-control icmpfrag

This command enables ICMP Fragment Denial of Service protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets ingress having fragmented ICMP packets, the packets will be dropped if the mode is enabled.

• Default: disabled
• Format: dos-control icmpfrag
• Mode: Global Config

no dos-control icmpfrag

This command disabled ICMP Fragment Denial of Service protection.

• Format: no dos-control icmpfrag
• Mode: Global Config

show dos-control

This command displays Denial of Service configuration information.

• Format: show dos-control
• Mode: Privileged EXEC

The display parameters for above command are:

• First Fragment Mode: May be enabled or disabled. The factory default is disabled.
• Min TCP Hdr Size <0-255>: The factory default is 20.
• ICMP Mode: May be enabled or disabled. The factory default is disabled.
• Max ICMPv4 Pkt Size: The range is 0-1023. The factory default is 512.
• Max ICMPv6 Pkt Size: The range is 0-16384. The factory default is 512.
• ICMP Fragment Mode: May be enabled or disabled. The factory default is disabled.
• L4 Port Mode: May be enabled or disabled. The factory default is disabled.
• TCP Port Mode: May be enabled or disabled. The factory default is disabled.
• UDP Port Mode: May be enabled or disabled. The factory default is disabled.
• SIPDIP Mode: May be enabled or disabled. The factory default is disabled.
• SMACDMAC Mode: May be enabled or disabled. The factory default is disabled.
• TCP Flag Mode: May be enabled or disabled. The factory default is disabled.
• TCP FIN&URG& PSH Mode: May be enabled or disabled. The factory default is disabled.
• TCP Flag & Sequence Mode: May be enabled or disabled. The factory default is disabled.
• TCP SYN Mode: May be enabled or disabled. The factory default is disabled.
• TCP SYN & FIN Mode: May be enabled or disabled. The factory default is disabled.
• TCP Fragment Mode: May be enabled or disabled. The factory default is disabled.
• TCP Offset Mode: May be enabled or disabled. The factory default is disabled.