DoS is built in to the CSS, there is no configuration for it expect for snmp trap generation for DoS detection. CSS is not a firewall, its DoS detection is limited to obvious things, such as source and destination addresses being the same - land, smurf, half open syn, loopback or broadcast addresses, source address that the box owns etc.