Commands For Security Feature

9.5 Commands for Security Feature

9.5.1 dosattack-check srcip-equal-dstip enable

Command: dosattack-check srcip-equal-dstip enable
no dosattack-check srcip-equal-dstip enable
Function: Enable the function for the switch to check if the source IP address is equal to the destination IP address. The no command disables this function.
Parameter: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: By enabling this function, data packets whose source IP address is equal to its destination address will be dropped.
Example: Drop the data packets whose source IP address is equal to its destination address.

active500EM(config)# dosattack-check srcip-equal-dstip enable

 

9.5.2 dosattack-check ipv4-first-fragment enable

Command: dosattack-check ipv4-first-fragment enable
no dosattack-check ipv4-first-fragment enable
Function: Enable the function for the switch to check the first fragment packet of IPv4. The no command disables this function.
Parameter: None.
Command mode: Global Mode
Default: None.
Usage guide: This command has no effect when used separately. It should be used when using the “dosattack-check tcp-flags enable” or “dosattack-check srcport-equal-dstport enable” commands.
Example: Drop the IPv4 fragment or non-fragment data packet whose source port is equal to its destination port.

active500EM(config)#dosattack-check ipv4-first-fragment enable
active500EM(config)#dosattack-check srcport-equal-dstport enable

 

9.5.3 dosattack-check tcp-flags enable

Command: dosattack-check tcp-flags enable
no dosattack-check tcp-flags enable
Function: Enable the function for the switch to check the unauthorized TCP label function. The no command disables this function.
Parameter: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: When this function is enabled, the switch will be able to drop four data packets containing an unauthorized TCP label: SYN=1 with source port smaller than 1024. TCP label positions are all 0 with serial number=0;FIN=1,URG=1,PSH=1 and the TCP serial number=0;SYN=1 and FIN=1. This function can be used in association with the ?dosattack-check ipv4-first-fragment enable? command.
Example: Drop one or more types of the above four packet types.

active500EM(config)#dosattack-check tcp-flags enable

 

9.5.4 dosattack-check srcport-equal-dstport enable

Command: dosattack-check srcport-equal-dstport enable
no dosattack-check srcport-equal-dstport enable
Function: Enable the function for the switch to check if the source port is equal to the destination port. The no command disables this function.
Parameter: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: When this function enabled, the switch will be able to drop TCP and UDP data packet whose destination port is equal to the source port. This function can be used in association with the ?dosattack-check ipv4-first-fragment enable? function to block the IPv4 fragment TCP and UDP data packets whose destination port is equal to the source port.
Example: Drop the non-fragment TCP and UDP data packet whose destination port is equal to the source port.

active500EM(config)#dosattack-check srcport-equal-dstport enable

 

9.5.5 dosattack-check tcp-fragment enable

Command: dosattack-check tcp-fragment enable
no dosattack-check tcp-fragment enable
Function: Enable the function for the switch to detect TCP fragment attacks. The no command disables this function.
Parameter: None.
Command mode: Global Mode
Default: Not enabled.
Usage guide: By enabling this function, the switch will be protected from TCP fragment attacks. The data packets whose TCP fragment offset value is 1 or the TCP head is shorter than the specified value will be dropped. Use the “dosattack-check tcp-header” command to specify the length.
Example: Enable the detection of a TCP fragment attack.

active500EM(config)#dosattack-check tcp-fragment enable

 

9.5.6 dosattack-check tcp-segment

Command: dosattack-check tcp-segment <20-255>
Function: Configure the minimum TCP segment length permitted by the switch.
Parameter:

  • <20-255>: minimum TCP segment length permitted by the switch.

Command mode: Global Mode
Default: The length is 20 by default. This is the shortest TCP segment.
Usage guide: The “dosattack-check tcp-fragment enable” function must be enabled to use this command.
Example: Set the minimum TCP segment length permitted by the switch to 20.

active500EM(config)#dosattack-check tcp-fragment enable
active500EM(config)#dosattack-check tcp-segment 20

 

9.5.7 dosattack-check icmp-attacking enable

Command: dosattack-check icmp-attacking enable
no dosattack-check icmp-attacking enable
Function: Enable the ICMP fragment attack detection function on the switch. The no command disables this function.
Parameter: None.
Command mode: Global Mode
Default: Disabled.
Usage guide: With this function enabled, the switch will be protected from ICMP fragment attacks. The fragment ICMPv4/v6 data packets whose net length is smaller than the specified value will be dropped.
Example: Enable ICMP fragment attack detection.

active500EM(config)#dosattack-check icmp-attacking enable

 

9.5.8 dosattack-check icmpV4-size

Command: dosattack-check icmpV4-size <64-1023>
Function: Configure the max net length of the ICMPv4 data packet permitted by the switch.
Parameter: