A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash. In both instances, the DoS attack deprives legitimate users (i.e. employees, members, or account holders) of the service or resource they expected.

Victims of DoS attacks often target web servers of high-profile organizations such as banking, commerce, and media companies, or government and trade organizations. Though DoS attacks do not typically result in the theft or loss of significant information or other assets, they can cost the victim a great deal of time and money to handle.

There are two general methods of DoS attacks: flooding services or crashing services. Flood attacks occur when the system receives too much traffic for the server to buffer, causing them to slow down and eventually stop. Popular flood attacks include:

Other DoS attacks simply exploit vulnerabilities that cause the target networks or service to crash. In these attacks, input is sent that takes advantage of bugs in the target that subsequently crash or severely destabilize the network, so that it can’t be accessed or used.

To enable the specific Deniel of Service (DoS) protection, use the command dos in the Global Configuration mode. Otherwise, use the no form of the command to disable the specific DoS protection.

Syntax	dos (daeqsa-deny\|icmp-frag-pkts-deny\|icmpv4-ping-max- check\|icmpv6-ping-max-check\|ipv6-min-frag-size-check\|land- deny\|nullscan-deny\|pod-deny\|smurf-deny\|syn-sportl1024- deny\|synfin-deny\|synrst-deny\|tcp-frag-off-min-check\|tcpblat- deny\|tcphdr-min-check\|udpblat-deny\|xmas-deny) dos icmp-ping-max-length MAX_LEN dos ipv6-min-frag-size-length MIN_LEN dos smurf-netmask MASK dos tcphdr-min-length HDR_MIN_LEN no dos (tcp-frag-off-min-check\|synrst-deny\|synfin-deny\|xma- deny\|nullscan-deny\|syn-sportl1024-deny\|tcphdr-min-check\|smurf- deny\|icmpv6-ping-max-check\|icmpv4-ping-max-check\|icmp-frag- pkts-deny\|ipv6-min-frag-size-check\|pod-deny\|tcpblat- deny\|udpblat-deny\|land-deny\|daeqsa-deny)
Parameter	daeqsa-deny Drops the packets if the destination MAC address is equal to the source MAC address. icmp-frag-pkts-deny Drops the fragmented ICMP packets. icmpv4-ping-max- check Checks the maximum size of ICMP ping packets, and drops the packets larger than the maximum packet size defined by the command dos icmp-ping-max-length MAX_LEN icmpv6-ping-max- check Checks the maximum size of ICMPv6 ping packets, and drops the packets larger than the maximum packet size defined by the command dos icmp-ping-max- length MAX_LEN. ipv6-min-frag- size-check Checks the minimum size of IPv6 fragments, and drops the packets smaller than the minimum size defined by the command dos ipv6-min-frag-size-length MIN_LEN. land-deny Drops the packets if the source IP address is equal to the destination IP address. nullscan-deny Drops the packets with NULL scan. pod-deny Avoids ping of death attack. smurf-deny Avoids smurf attack. syn-sportl1024-deny Drops SYN packets with sport less than 1024. synfin-deny Drops the packets with SYN and FIN bits set. synrst-deny Drops the packets with SYN and RST bits set. tcp-frag-off-min- check Drops the TCP fragment packets with offset equals to one. tcpblat-deny Drops the packages if the TCP source port is equal to the TCP destination port. tcphdr-min-check Checks the minimum TCP header and drops the TCP packets with the header smaller than the minimum size defined by the command dos tcphdr-min-length HDR_MIN_LEN. udpblat-deny Drops the packets if the UDP source port equals to the UDP destination port. xmas-deny Drops the packets if the sequence number is zero, and the FIN, URG and PSH bits are set. icmp-ping-max- length MAX_LEN Specify the maximum size of the ICMPv4/ICMPv6 ping packets. The valid range is from 0 to 65535 bytes, and the default value is 512 bytes. ipv6-min-frag- size-length MIN_LEN Specify the minimum size of IPv6 fragments. The valid range is from 0 to 65535 bytes, and default value is 1240 bytes. smurf-netmask MASK Specify the netmask of smurf attack. The length range is from 0 to 323 bytes, and default length is 0 bytes. tcphdr-min-length HDR_MIN_LEN Specify the minimum TCP header length. The length range is from 0 to 31 bytes, and default length is 20 bytes.
Default	All of DoS protections are enabled by default. The default parameter are: - The maximum size of ICMP ping packages is 512 bytes - The minimum size of IPv6 fragments is 1240 bytes. - The Smurf netmask length is 0 bytes. - The minimum TCP header length is 20 bytes
Mode	Global Configuration
Example	The following example sets the minimum fragment size to 1024 bytes, and enables the minimum size of IPv6 fragments validation. Switch#configure terminal Switch(config)# dos ipv6-min-frag-size-length 1024 Switch(config)# dos ipv6-min-frag-size-check

To enable the DoS on the specific interface, use the command dos in the Interface Configuration mode. Otherwise, use the “no” form of the command to disable the DoS on the interface.

Syntax	dos no dos
Default	DoS protection is disabled on each interface.
Mode	Interface Configuration
Example	The following example enables the DoS on the interface GigabitEthernet 2. Switch#configure terminal Switch(config)# interface GigabitEthernet 2 Switch(config-if)# dos

To show the DoS protection configuration, use the command show dos in the Privileged EXEC mode. For the status of DoS protection on each interface, use the command show dos interface in the Privileged EXEC mode.

Syntax	show dos show dos interface {IF_PORTS}
Parameter	interface{IF_PORTS} An interface ID or the list of interface IDs
Mode	Privileged EXEC
Example	The following example shows the global DoS protection configuration. Switch# show dos