Matrix N-Series DFE, firmware through 6.x
The hostdos feature set is described in the Matrix DFE Configuration Guide.
This document provides additional details.
Here are the hostdos command options and what they do:
- 'land' targets frames which have identical Source/Destination IP addresses.[list]
- It compares the most favorable known route(s) to the Source IP. If the source VLAN (whatever VLAN into which the switch assigns the packet) differs from what is logged against the local ingress hop for the route(s), it's a spoof.
- A route lookup examines the forwarding table of best routes (because of ECMP, there may be more than one interface, and that's OK), not all routes regardless of cost. All possible interfaces are checked. For example, if OSPF has a route to the 184.108.40.206 net out VLAN 200 and RIP has a higher cost route to 220.127.116.11 net out VLAN 100, the forwarding table will have the OSPF route only because it has a lower cost. In this case, packets from the 18.104.22.168 net arriving as VLAN 100 would be dropped due to checkspoof because the forwarding table returns VLAN 200.
- In practice, this feature may not be compatible with VRRP and/or the use of redundant routers. Unless policy is being used to force the issue, it is unpredictable whether or not a conversation will take the same paths in both directions.
- The hostdos commands may be applied to one or more router instances, to affect all routed traffic for that router instance. With firmware 5.01.58 and higher, they can also be specifically targeted to just certain router interfaces.
- As desired, L2 policies/classifications may be applied prior to the L3 processing; which could affect the results of the hostdos commands for known good traffic that would otherwise be dropped due to the hostdos feature.