Cisco Cisco Packet Data Gateway (PDG)
• icmp: Enables protection against ICMP Flood attacks
• tcp-syn: Enables protection against TCP SYN Flood attacks
• udp: Enables protection against UDP Flood attacks
ftp-bounce
Enables protection against FTP Bounce attacks.
In an FTP Bounce attack, an attacker is able to use the PORT command to request access to ports indirectly
through a user system as an agent for the request. This technique is used to port scan hosts discreetly, and to
access specific ports that the attacker cannot access through a direct connection.
through a user system as an agent for the request. This technique is used to port scan hosts discreetly, and to
access specific ports that the attacker cannot access through a direct connection.
ip-unaligned-timestamp
Enables protection against IP Unaligned Timestamp attacks.
In an IP Unaligned Timestamp attack, certain operating systems crash if they receive a frame with the IP
timestamp option that is not aligned on a 32-bit boundary.
timestamp option that is not aligned on a 32-bit boundary.
mime-flood
Enables protection against HTTP Multiple Internet Mail Extension (MIME) Header Flooding attacks.
In a MIME Flood attack an attacker sends huge amount of MIME headers which consumes a lot of memory
and CPU usage.
and CPU usage.
port-scan
Enables protection against Port Scan attacks.
tcp-window-containment
Enables protection against TCP Sequence Number Out-of-Range attacks.
In a Sequence Number Out-of-Range attack the attacker sends packets with out-of-range sequence numbers
forcing the system to wait for missing sequence packets.
forcing the system to wait for missing sequence packets.
source-router
Enables protection against IP Source Route IP Option attacks.
Source routing is an IP option mainly used by network administrators to check connectivity. When an IP
packet leaves a system, its path through various networks to its destination is controlled by the routers and
their current configuration. Source routing provides a means to override the control of the routers. Strict source
routing specifies the path through all the routers to the destination. The same path in reverse is used to return
responses. Loose source routing allows the attacker to spoof both an address and sets the loose source routing
option to force the response to return to the attacker's network.
packet leaves a system, its path through various networks to its destination is controlled by the routers and
their current configuration. Source routing provides a means to override the control of the routers. Strict source
routing specifies the path through all the routers to the destination. The same path in reverse is used to return
responses. Loose source routing allows the attacker to spoof both an address and sets the loose source routing
option to force the response to return to the attacker's network.
teardrop
Enables protection against Teardrop attacks.
In a Teardrop attack, overlapping IP fragments are exploited causing the TCP/IP fragmentation re-assembly
to improperly handle overlapping IP fragments.
to improperly handle overlapping IP fragments.
Command Line Interface Reference, Modes A - B, StarOS Release 19
650
ACS Rulebase Configuration Mode Commands
firewall dos-protection