C6900 - Repeated DOS Attacks from same source ip

When C6900 shows DoS in the logs it could mean that an actual DoS attack is taking place or it could be a false positive. Sometime, certain IPv6 multicast fragmented packets may be mistaken by the C6900 firewall as DoS attack and that will show up in the logs. In most cases, these logs are harmless and should not cause any network degradation. You should not see these false positives with regular IPv6 or IPv4 traffic.

If you believe that these attacks are false positives or not you can try the following work arounds:

1. If you have any printers on the network disable the IPv6 on the Printer and use only IPv4 if it supports both IPv4 and IPv6. Many printers with IPv6 enabled will generate IPv6 multicast fragmented packets. If the issue still occurs check other devices on network and use similar approach.
2. Disable the DoS attack setting by login to the C6900 Web UI and go to ADVANCED -> Setup -> WAN Setup, then uncheck the “Disable Port Scan and DoS Protection” button by doing this the DoS and Port Scan protection will be enabled.