Netgear FS728TLP – ProSAFE 24 ports smart switch PoE 사용자 가이드
Configure System Management
Options
222
ProSAFE FS526Tv2, FS726Tv2, and FS728TLP Smart Switches
Configure Denial of Service
The smart switch supports the following Denial of Service (DoS) features to classify and block
specific types of DoS attacks. All of these DoS features are disabled by default.
specific types of DoS attacks. All of these DoS features are disabled by default.
•
SIP=DIP. Enables the smart switch to drop packets that have a source IP address (SIP)
equal to the destination IP address (DIP).
equal to the destination IP address (DIP).
•
First fragment. Enables the smart switch to drop packets that have a first TCP fragment
with a TCP header that is smaller than the configured minimum TCP header size. You
can configure the minimum TCP header size on the Denial of Service Configuration
screen. The default size is 20 bytes.
with a TCP header that is smaller than the configured minimum TCP header size. You
can configure the minimum TCP header size on the Denial of Service Configuration
screen. The default size is 20 bytes.
•
TCP fragment. Enables the smart switch to drop packets that have TCP fragments with
an IP fragment offset that is equal to one. You can configure the minimum TCP header
size on the Denial of Service Configuration screen. The default size is 20 bytes.
an IP fragment offset that is equal to one. You can configure the minimum TCP header
size on the Denial of Service Configuration screen. The default size is 20 bytes.
•
TCP flag. Enables the smart switch to drop the following packets:
-
Packets that have the TCP flag SYN set and a TCP source port number that is lower
than 1024.
than 1024.
-
Packets that have the TCP control flags set to zero and a TCP sequence number that
is zero.
is zero.
-
Packets that have the TCP flags FIN, URG, and PSH set and a TCP sequence
number that is zero.
number that is zero.
-
Packets that have both the TCP flags SYN and FIN set.
•
L4 port. Enables the smart switch to drop packets that have a TCP source port that is
equal to the TCP destination port and packets that have a UDP source port that is equal
to the UDP destination port.
equal to the TCP destination port and packets that have a UDP source port that is equal
to the UDP destination port.
•
ICMP. Enables the smart switch to drop ICMP echo request packets that are carried in an
unfragmented IPv4 or IPv6 datagram if the total length in the IP header indicates a value
that is greater than the sum of the configured maximum ICMP packet size and the IP
header length. You can configure the maximum ICMP packet size on the Denial of
Service Configuration screen. The default size is 512 bytes.
unfragmented IPv4 or IPv6 datagram if the total length in the IP header indicates a value
that is greater than the sum of the configured maximum ICMP packet size and the IP
header length. You can configure the maximum ICMP packet size on the Denial of
Service Configuration screen. The default size is 512 bytes.
If the smart switch detects a DoS attack, the following occurs:
•
260).
•
263), the smart switch sends a message to the syslog server.
•
The smart switch shuts down the port on which the DoS attack occurred. You need to
manually reenable the port (see
manually reenable the port (see
61).