AT-S62 Command Line User’s Guide

SET DOS IPOPTION

Syntax

set dos ipoption port=port state=enabledisable [mirrorport=port]

Parameters

 

 

port

Specifies the switch port on which you want to enable

 

or disable the IP Option defense. You can specify more

 

than one port at a time.

state

Specifies the state of the IP Option defense. The

 

options are:

 

enable

Activates the defense.

 

disable

Deactivates the defense. This is the default.

mirrorport

Specifies a port where invalid traffic is copied. You can

 

specify only one port.

Description

This command enables and disables the IP Options DoS defense.

This type of attack occurs when an attacker sends packets containing bad IP options to a victim node. There are many different types of IP options attacks and the AT-S62 management software does not try to distinguish between them. Rather, a switch port where this defense is activated counts the number of ingress IP packets containing IP options. If the number exceeds 20 packets per second, the switch considers this a possible IP options attack and does the following occurs:

It sends a trap to the management workstations.

The switch port discards all ingress packets containing IP options for a one minute period.

This defense mechanism does not involve the switch’s CPU. You can activate it on as many ports as you want without it impacting switch performance.

Examples

The following command activates the IP Options defense on ports 5, 7, and 10:

set dos ipoption port=5,7,10 state=enable

369

Page 369
Image 369
Allied Telesis management software layer 2+ fast ethernet switches SET DOS Ipoption, Than one port at a time, Mirrorport