Filter
Top Products
DES-7200 Configuration Guide Chapter 8 DoS Protection Configuration
8-1
8 DoS Protection
Configuration
8.1 DoS Protection
Configuration
8.1.1 Overview
The DoS protection function can defend against Land attacks, invalid TCP message
attacks and invalid L4 message attacks.
Land attack
The attacker sends a SYN packet to the destination host with the source address/port
the same as the destination address/port and causes system crash while the
attacked host attempts to establish a TCP link with itself (infinite loop).
Invalid TCP message attack
The header of TCP message contains several flag fields:
1. SYN: Connection flag. TCP SYN message sets this flag to 1 in order to request a
connection.
2. ACK: Acknowledgment flag. In a TCP connection, except for the first message
(TCP SYN), all other messages are set to be the acknowledgement to last message.
3. FIN: Finish flag. When a host receives a TCP message with FIN flag, it will
terminate this TCP connection.
4. RST: Reset flag. When IP protocol stack receives a TCP message with
nonexistent target port, it will reply a message with RST flag.
5. PSH: notifies the protocol stack to push up TCP data to the upper-layer program as
soon as possible.
Invalid TCP message attack consumes host resources and leads to system crash by
setting invalid flag fields. The followings are some frequently found invalid TCP
messages:
1. TCP message with both SYN bit and FIN bit