About the Matrix DFE's 'hostdos' Feature Set

  • 0
  • 1
  • Article
  • Updated 5 years ago
Article ID: 5417 

Products
Matrix N-Series DFE, firmware through 6.x 

Commands
'show hostdos'
'set hostdos'
'clear hostdos' 

Cause
The hostdos feature set is described in the Matrix DFE Configuration Guide. 

This document provides additional details. 

Solution
Here are the hostdos command options and what they do:
  • 'land' targets frames which have identical Source/Destination IP addresses.
      Violating frames are not reported to syslog, and are discarded via hardware.
    • 'fragmicmp' targets fragmented ICMP and Ping of Death packets.
        Each violating frame is reported to syslog, and discarded.
      • 'largeicmp <size>' targets large ICMP packets, and specifies the packet size above which the protection starts. Valid packet size values are 1 to 65535. The default is 1024.
          Each violating frame is reported to syslog, and discarded.
        • 'checkspoof' targets frames with a Source VLAN already mapped to a different interface.
            Each violating frame is reported to syslog, and discarded.
          • 'portscan' targets a given source address sending to multiple UDP/TCP ports.
              Portscan activity is reported to syslog, after each 25 unique destination ports seen. Frames are not discarded.
            More about 'checkspoof':
            • It compares the most favorable known route(s) to the Source IP. If the source VLAN (whatever VLAN into which the switch assigns the packet) differs from what is logged against the local ingress hop for the route(s), it's a spoof.
            • A route lookup examines the forwarding table of best routes (because of ECMP, there may be more than one interface, and that's OK), not all routes regardless of cost. All possible interfaces are checked. For example, if OSPF has a route to the 100.0.0.0 net out VLAN 200 and RIP has a higher cost route to 100.0.0.0 net out VLAN 100, the forwarding table will have the OSPF route only because it has a lower cost. In this case, packets from the 100.0.0.0 net arriving as VLAN 100 would be dropped due to checkspoof because the forwarding table returns VLAN 200.
            • In practice, this feature may not be compatible with VRRP and/or the use of redundant routers. Unless policy is being used to force the issue, it is unpredictable whether or not a conversation will take the same paths in both directions.
            More about the hostdos commands:
            • The hostdos commands may be applied to one or more router instances, to affect all routed traffic for that router instance. With firmware 5.01.58 and higher, they can also be specifically targeted to just certain router interfaces.
            • As desired, L2 policies/classifications may be applied prior to the L3 processing; which could affect the results of the hostdos commands for known good traffic that would otherwise be dropped due to the hostdos feature.
            See also: 14035.
            Photo of FAQ User

            FAQ User, Official Rep

            • 13,610 Points 10k badge 2x thumb

            Posted 5 years ago

            • 0
            • 1

            There are no replies.

            This conversation is no longer open for comments or replies.