Filter
Top Products
Chapter 14: Denial of Service Defenses
170 Section II: Advanced Operations
IP Options Attack
In the basic scenario of an IP attack, an attacker sends packets containing
bad IP options. There are several types of IP option attacks and the
AT-S63 Management Software does not distinguish between them.
Rather, the defense mechanism counts the number of ingress IP packets
containing IP options received on a port. If the number exceeds 20
packets per second, the switch considers this a possible IP options attack
and the following occurs:
It sends an SNMP trap to the management stations.
The switch port is blocked for one minute.
This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without it impacting switch
performance.
Note
This defense does not actually check IP packets for bad IP options,
and so can only alert you to a possible attack.