AT-S62 Command Line User’s Guide
369
SET DOS IPOPTIONSyntax
set dos ipoption port=port state=enable|disable
[mirrorport=port]
Parameters
port Specifies the switch port on which you want to enable
or disable the IP Option defense. You can specify more
than one port at a time.
state Specifies the state of the IP Option defense. The
options are:
enable Activates the defense.
disable Deactivates the defense. This is the default.
mirrorport Specifies a port where invalid traffic is copied. You can
specify only one port.
Description
This command enables and disables the IP Options DoS defense.
This type of attack occurs when an attacker sends packets containing
bad IP options to a victim node. There are many different types of IP
options attacks and the AT-S62 management software does not try to
distinguish between them. Rather, a switch port where this defense is
activated counts the number of ingress IP packets containing IP options.
If the number exceeds 20 packets per second, the switch considers this a
possible IP options attack and does the following occurs:
❑It sends a trap to the management workstations.
❑The switch port discards all ingress packets containing IP options
for a one minute period.
This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without it impacting switch
performance.
Examples
The following command activates the IP Options defense on ports 5, 7,
and 10:
set dos ipoption port=5,7,10 state=enable