Cisco Cisco Tunnel Terminating Gateway (TTG) Guide De Dépannage
ACS Rulebase Configuration Mode Commands
▀ firewall dos-protection
▄ Cisco ASR 5000 Series Command Line Interface Reference
OL-22947-02
In an IP Unaligned Timestamp attack, certain operating systems crash if they receive a frame with the IP
timestamp option that is not aligned on a 32-bit boundary.
timestamp option that is not aligned on a 32-bit boundary.
Enables protection against HTTP Multiple Internet Mail Extension (MIME) Header Flooding attacks.
In a MIME Flood attack an attacker sends huge amount of MIME headers which consumes a lot of memory
and CPU usage.
In a MIME Flood attack an attacker sends huge amount of MIME headers which consumes a lot of memory
and CPU usage.
Enables protection against Port Scan attacks.
Enables protection against TCP Sequence Number Out-of-Range attacks.
In a Sequence Number Out-of-Range attack the attacker sends packets with out-of-range sequence numbers
forcing the system to wait for missing sequence packets.
In a Sequence Number Out-of-Range attack the attacker sends packets with out-of-range sequence numbers
forcing the system to wait for missing sequence packets.
Enables protection against IP Source Route IP Option attacks.
Source routing is an IP option mainly used by network administrators to check connectivity. When an IP
packet leaves a system, its path through various networks to its destination is controlled by the routers and
their current configuration. Source routing provides a means to override the control of the routers. Strict
source routing specifies the path through all the routers to the destination. The same path in reverse is used to
return responses. Loose source routing allows the attacker to spoof both an address and sets the loose source
routing option to force the response to return to the attacker's network.
Source routing is an IP option mainly used by network administrators to check connectivity. When an IP
packet leaves a system, its path through various networks to its destination is controlled by the routers and
their current configuration. Source routing provides a means to override the control of the routers. Strict
source routing specifies the path through all the routers to the destination. The same path in reverse is used to
return responses. Loose source routing allows the attacker to spoof both an address and sets the loose source
routing option to force the response to return to the attacker's network.
Enables protection against Teardrop attacks.
In a Teardrop attack, overlapping IP fragments are exploited causing the TCP/IP fragmentation re-assembly
to improperly handle overlapping IP fragments.
In a Teardrop attack, overlapping IP fragments are exploited causing the TCP/IP fragmentation re-assembly
to improperly handle overlapping IP fragments.
Enables protection against WIN-NUKE attacks.
This is a type of Nuke denial-of-service attack against networks consisting of fragmented or otherwise invalid
ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data,
thus slowing down the affected computer until it comes to a complete stop.
The WinNuke exploits the vulnerability in the NetBIOS handler and a string of out-of-band data sent to TCP
port 139 of the victim machine causing it to lock up and display a Blue Screen of Death.
This is a type of Nuke denial-of-service attack against networks consisting of fragmented or otherwise invalid
ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data,
thus slowing down the affected computer until it comes to a complete stop.
The WinNuke exploits the vulnerability in the NetBIOS handler and a string of out-of-band data sent to TCP
port 139 of the victim machine causing it to lock up and display a Blue Screen of Death.
Usage
Use this command to enable firewall protection from different types of DoS attacks. This command can be
used multiple times for different DoS attacks.
used multiple times for different DoS attacks.
Important:
The DoS attacks are detected only in the downlink direction.
Example