Configuring Denial of Service Protection
This chapter contains information on how to protect your system against Denial of Service (DoS)
attacks. The information covered in this chapter is unique to the Catalyst 6500 series switches, and it
supplements the network security information and procedures in the
this publication as well as the network security information and procedures in these publications:
•
•
This chapter consists of these sections:
•
•
DoS Protection Overview
The DoS protection available on the Catalyst 6500 series switch provides support against two types of
DoS attack scenarios:
•
•
Note
DoS protection used at the local router may not prevent peer loss caused by data-packet congestion on
the external link.
78-14099-04
Cisco IOS Security Configuration Guide, Release 12.2, at this URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm
Cisco IOS Security Command Reference, Release 12.2, at this URL
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/index.htm
DoS Protection Overview, page 24-1
Configuring DoS Protection, page 24-2
Data-packet processing that starves routing-protocol processing may result in DoS attacks such as the
following:
Routing peer loss due to hello timeouts
–
HSRP peer loss due to hello timeouts
–
Rrouting protocol slow convergence
–
Data packets congesting a CPU inband datapath may result in DoS attacks such as the following:
Routing peer loss due to hello packet drops
–
–
HSRP peer loss due to hello packet drops
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
C H A P T E R
"Configuring Network Security"
24
in
24-1