Cisco Cisco ASR 5000
ACS Rulebase Configuration Mode Commands
firewall dos-protection ▀
Command Line Interface Reference, StarOS Release 18 ▄
707
ftp-bounce
Enables protection against FTP Bounce attacks.
In an FTP Bounce attack, an attacker is able to use the PORT command to request access to ports indirectly
through a user system as an agent for the request. This technique is used to port scan hosts discreetly, and to
access specific ports that the attacker cannot access through a direct connection.
In an FTP Bounce attack, an attacker is able to use the PORT command to request access to ports indirectly
through a user system as an agent for the request. This technique is used to port scan hosts discreetly, and to
access specific ports that the attacker cannot access through a direct connection.
ip-unaligned-timestamp
Enables protection against IP Unaligned Timestamp attacks.
In an IP Unaligned Timestamp attack, certain operating systems crash if they receive a frame with the IP
timestamp option that is not aligned on a 32-bit boundary.
In an IP Unaligned Timestamp attack, certain operating systems crash if they receive a frame with the IP
timestamp option that is not aligned on a 32-bit boundary.
mime-flood
Enables protection against HTTP Multiple Internet Mail Extension (MIME) Header Flooding attacks.
In a MIME Flood attack an attacker sends huge amount of MIME headers which consumes a lot of memory
and CPU usage.
In a MIME Flood attack an attacker sends huge amount of MIME headers which consumes a lot of memory
and CPU usage.
port-scan
Enables protection against Port Scan attacks.
tcp-window-containment
Enables protection against TCP Sequence Number Out-of-Range attacks.
In a Sequence Number Out-of-Range attack the attacker sends packets with out-of-range sequence numbers
forcing the system to wait for missing sequence packets.
In a Sequence Number Out-of-Range attack the attacker sends packets with out-of-range sequence numbers
forcing the system to wait for missing sequence packets.
source-router
Enables protection against IP Source Route IP Option attacks.
Source routing is an IP option mainly used by network administrators to check connectivity. When an IP
packet leaves a system, its path through various networks to its destination is controlled by the routers and
their current configuration. Source routing provides a means to override the control of the routers. Strict
source routing specifies the path through all the routers to the destination. The same path in reverse is used to
return responses. Loose source routing allows the attacker to spoof both an address and sets the loose source
routing option to force the response to return to the attacker's network.
Source routing is an IP option mainly used by network administrators to check connectivity. When an IP
packet leaves a system, its path through various networks to its destination is controlled by the routers and
their current configuration. Source routing provides a means to override the control of the routers. Strict
source routing specifies the path through all the routers to the destination. The same path in reverse is used to
return responses. Loose source routing allows the attacker to spoof both an address and sets the loose source
routing option to force the response to return to the attacker's network.
teardrop
Enables protection against Teardrop attacks.
In a Teardrop attack, overlapping IP fragments are exploited causing the TCP/IP fragmentation re-assembly
to improperly handle overlapping IP fragments.
In a Teardrop attack, overlapping IP fragments are exploited causing the TCP/IP fragmentation re-assembly
to improperly handle overlapping IP fragments.
winnuke
Enables protection against WIN-NUKE attacks.
This is a type of Nuke denial-of-service attack against networks consisting of fragmented or otherwise invalid
ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data,
thus slowing down the affected computer until it comes to a complete stop.
The WinNuke exploits the vulnerability in the NetBIOS handler and a string of out-of-band data sent to TCP
port 139 of the victim machine causing it to lock up and display a Blue Screen of Death.
This is a type of Nuke denial-of-service attack against networks consisting of fragmented or otherwise invalid
ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data,
thus slowing down the affected computer until it comes to a complete stop.
The WinNuke exploits the vulnerability in the NetBIOS handler and a string of out-of-band data sent to TCP
port 139 of the victim machine causing it to lock up and display a Blue Screen of Death.