Filter
Top Products
Filters and QoS Configuration for ERS 5500
Technical Configuration Guide v2.0 NN48500-559
___________________________________________________________________________________________________________________________
Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.
External Distribution
36
Based on the diagram above, enter the following commands to enable DHCP Snooping
• 5530-24TFD(config)#interface fastEthernet all
• 5530-24TFD(config-if)#qos dhcp spoofing port 2-10 dhcp-server 172.30.30.50
10.3 DoS
The following command is used to enable the various DoS QoS Applications
• 5530-24TFD(config)#interface fastEthernet all
• 5530-24TFD(config-if)#qos dos <nachia|sqlslam|tcp-dnsport|tcp-ftpport|tcp-
synfinscan|xmas> port <port #> enable
SQLSlam
The worm targeting SQL Server computers is a self-propagating, malicious code that exploits a
vulnerability that allows for the execution of arbitrary code on the SQL Server computer due to a
stack buffer overflow. Once the worm compromises a machine it will try to propagate itself by
crafting packets of 376 bytes and send them to randomly chosen IP addresses on UDP port 1434.
If the packet is sent to a vulnerable machine, this victim machine will become infected and will
also begin to propagate. Beyond the scanning activity for new hosts, the current variant of this
worm has no Configuring Quality of Service and IP Filtering for Nortel Ethernet Routing Switch
5500 Series, Software Release 4.2 other payload. Activity of this worm is readily identifiable on a
network by the presence of 376 byte UDP packets. These packets will appear to be originating
from seemingly random IP addresses and destined for UDP port 1434.
When enabled, the DoS SQLSlam QoS Application will drop UDP traffic whose destination port is
1434 with the byte pattern of 0x040101010101 starting at byte 47 of a tagged packet.
Nachia
The W32/Nachi variants W32/Nachi-A and W32/Nachi-B are worms that spread using the RPC
DCOM vulnerability in a similar fashion to the W32/Blaster-A worm. Both rely upon two
vulnerabilities in Microsoft's software.
When enabled, the DoS Nachia QoS Application will drop ICMP traffic with the byte pattern of
0xaaaaaa) starting at byte 48 of a tagged packet.
Xmas
Xmas is a DoS attack that sends TCP packets with all TCP flags set in the same packet; which is
illegal. When enabled, the DoS Xmas QoS Application will drop TCP traffic with the URG:PSH
TCP flags set.TCP
SynFinScan
TCP SynFinScan is a DoS attack that sends both a TCP SYN and FIN in the same packet; which
is illegal. When enabled, the TCP SynFinScan QoS Application will drop TCP traffic with the
SYN:FIN TCP flags set.
TCP FtpPort
A TCP FtpPort attack is identified by TCP packets with a source port of 20 and a destination port
less than 1024; which is illegal. A legal FTP request would have been initiated with a TCP port
greater than 1024. When enabled, the TCP FtpPort QoS Application will drop TCP traffic with the
TCP SYN flag set and a source port of 20 with a destination port less than or equal to 1024.
TCP DnsPort
The TCP DnsPort QoS Application is similar to the TCP FtpPort application but for DNS port 53.
When enabled, this application will drop TCP traffic with the TCP SYN flag set and a source port
of 53 with a destination port less than or equal to 1024.BPDU