Header Only - DO NOT REMOVE - Extreme Networks

About the Matrix DFE's 'hostdos' Feature Set

Userlevel 3
Article ID: 5417

Matrix N-Series DFE, firmware through 6.x

'show hostdos'
'set hostdos'
'clear hostdos'

The hostdos feature set is described in the Matrix DFE Configuration Guide.

This document provides additional details.

Here are the hostdos command options and what they do:
  • 'land' targets frames which have identical Source/Destination IP addresses.[list]
Violating frames are not reported to syslog, and are discarded via hardware.
  • 'fragmicmp' targets fragmented ICMP and Ping of Death packets.
      Each violating frame is reported to syslog, and discarded.
    • 'largeicmp <size>' targets large ICMP packets, and specifies the packet size above which the protection starts. Valid packet size values are 1 to 65535. The default is 1024.
        Each violating frame is reported to syslog, and discarded.
      • 'checkspoof' targets frames with a Source VLAN already mapped to a different interface.
          Each violating frame is reported to syslog, and discarded.
        • 'portscan' targets a given source address sending to multiple UDP/TCP ports.
            Portscan activity is reported to syslog, after each 25 unique destination ports seen. Frames are not discarded.[/list]More about 'checkspoof':
            • It compares the most favorable known route(s) to the Source IP. If the source VLAN (whatever VLAN into which the switch assigns the packet) differs from what is logged against the local ingress hop for the route(s), it's a spoof.
            • A route lookup examines the forwarding table of best routes (because of ECMP, there may be more than one interface, and that's OK), not all routes regardless of cost. All possible interfaces are checked. For example, if OSPF has a route to the net out VLAN 200 and RIP has a higher cost route to net out VLAN 100, the forwarding table will have the OSPF route only because it has a lower cost. In this case, packets from the net arriving as VLAN 100 would be dropped due to checkspoof because the forwarding table returns VLAN 200.
            • In practice, this feature may not be compatible with VRRP and/or the use of redundant routers. Unless policy is being used to force the issue, it is unpredictable whether or not a conversation will take the same paths in both directions.
            More about the hostdos commands:
            • The hostdos commands may be applied to one or more router instances, to affect all routed traffic for that router instance. With firmware 5.01.58 and higher, they can also be specifically targeted to just certain router interfaces.
            • As desired, L2 policies/classifications may be applied prior to the L3 processing; which could affect the results of the hostdos commands for known good traffic that would otherwise be dropped due to the hostdos feature.
            See also: 14035.
          • 0 replies

            Be the first to reply!