Skip to content
Click here to open the documentation of locally-managed switches, including the CLI and API guides.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=switch-management-security

Security

You can configure security settings for Sophos Switch.

DoS

Sophos Switch can monitor and block denial-of-service (DoS) attacks. A DoS attack is network traffic intended to overwhelm a host and disrupt its connection to the network.

Select On or Off to turn DoS protection on or off. Choose Not set to use settings configured locally on the switch.

After turning DoS on or off, click Update to save your changes.

When you turn on DoS, the switch drops packets that match the following types of DoS attacks:

  • Destination MAC equal to Source MAC: Drops traffic where the source and destination MAC addresses are the same.
  • LAND Attacks Destination IP equal to Source IP (IPv4/IPv6): Drops packets where the source and destination IP addresses are the same.

  • TCP Blat (Destination TCP Port equal to Source TCP Port): Drops TCP packets where the source TCP and destination TCP ports are the same.

    Note

    The Network Time Protocol (NTP) client sometimes uses the same source and destination port. When you turn on DoS protection, Sophos Switch detects it as a TCP Blat attack and drops the packets. We recommend turning off DoS protection if you're running older NTP clients that use the same source and destination ports.

  • UDP Blat (Destination UDP Port equal to Source UDP Port): Drops UDP packets where the source UDP and destination UDP ports are the same.

  • Ping of Death (IPv4/IPv6): Drops packets with a length larger than 64K Bytes through fragments.
  • IPv6 Minimum Fragment (Bytes): Limits the minimum size of IPv6 fragments to 1240 Bytes.
  • ICMP Fragments (IPv4/IPv6): Drops fragmented ICMP packets.
  • IPv4 Ping Max Size: Limits the maximum length of an IPv4 ping packet to 512 bytes.
  • IPv6 Ping Max Size: Limits the maximum length of an IPv6 ping packet to 512 bytes.
  • Smurf Attack (Netmask Length): Limits the netmask length of broadcast ICMP packets to 24 (x.x.x.255).
  • TCP Minimum Header Size (Bytes): Limits the minimum size of the TCP header to 20 Bytes.
  • TCP-SYN: Drops TCP packets where the SYN flag is set, the ACK flag isn't set, and the source port is smaller than 1024.
  • Null Scan: Drops TCP packets where no flags are set and the sequence number is zero.
  • Xmas: Drops TCP packets with the sequence number zero and the FIN, URG, and PSH flags set.
  • TCP SYN-FIN: Drops TCP packets with the SYN and FIN flags set.
  • TCP SYN-RST: Drops TCP packets with the SYN and RST flags set.