Nortel Networks WEB OS 212777 User Manual

Web OS 10.0 Application Guide

Chapter 6: Server Load Balancing

n

147

212777-A, February 2002

Figure 6-10 Repelling DoS SYN Attacks With Delayed Binding

Once the Web switch receives a valid ACK or DATA REQ from the client, the Web switch
sends a SYN request to the server on behalf of the client, waits for the server to respond with a
SYN ACK, and then forwards the clients DATA REQ to the server. Basically, the Web switch
delays binding the client session to the server until the proper handshakes are complete.

Thus, with delayed binding, two independent TCP connections span a Web session: one from
the client to the Web switch and the second from the Web switch to the selected server. The
switch temporarily terminates each TCP connection until content has been received, thus pre-
venting the server from being inundated with SYN requests.

N

OTE

–

Delayed binding is automatically enabled when content intelligent switching features

are used. However, if you are not parsing content, you must explicitly enable delayed binding
if desired.

Internet

Client

Web Switch

Normal Request with Delayed Binding

Client sends a SYN request

Switch responds with special SYN ACK

Client sends an ACK or DATA REQ

Switch sends a SYN request to server

Switch recognizes valid three-way handshake

Server responds with SYN ACK

Server responds with DATA and switch splices connection to client

Switch sends ACK or DATA REQ

Server

Internet

Client

Web Switch

DoS SYN Attack with Delayed Binding

Client sends a SYN request

Switch responds with special SYN ACK

Switch responds with another SYN ACK

Client sends new SYN requests

No session entry is made until a valid
three-way handshake is complete.

Switch and server resources are
protected for legitimate requests

Server