Syn-proxy and dos protection, Understanding syn-proxy, Syn-proxy auto control – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 87: Configuring syn-proxy, Chapter 5

Advertising
background image

Brocade Virtual ADX Security Guide

75

53-1003250-01

Chapter

5

Syn-Proxy and DoS Protection

Understanding Syn-Proxy

Syn-Proxy™ allows TCP connections to be terminated on the Brocade Virtual ADX. When Syn-Proxy
is enabled, the Brocade Virtual ADX completes the three-way handshake with a connecting client.
Only when the three-way handshake is completed does the Brocade Virtual ADX establish a
connection with the destination server and forward packets from the client to the server.

In a TCP SYN attack, the attacker floods a host with TCP SYN packets. The host replies with
SYN-ACK packets, but the attacker does not send the ACK packet. The handshake remains
incomplete, and the host goes into a perpetual wait-state for it to be completed. As a result, the
resources available for TCP connections are rapidly depleted and the host is unable to accept any
further TCP connections.

Brocade Virtual ADX prevents these types of attacks by sitting in between the host and attacker.
When an attacker sends the SYN packet, Brocade Virtual ADX receives it and replies to it with
SYN-ACK. If the attacker doesn’t send an ACK to the Brocade Virtual ADX, the handshake isn’t
completed with the Brocade Virtual ADX. In this situation, the server never receives any packets
from the attacking client and is oblivious to the attack.

If the SYN is from a valid client and not an attacker, Brocade Virtual ADX completes the handshake
and forwards the SYN to the host. Brocade Virtual ADX creates a session at this time; only when the
three-way handshake is complete.

Syn-Proxy auto control

Syn-Proxy can be explicitly enabled or disabled through a CLI command or setup to be
automatically enabled when the TCP SYN packet arrival rate exceeds a configured threshold or
disabled when the TCP SYN packet arrival rate falls below a configured threshold.

Configuring Syn-Proxy

This section contains the following sections:

“Enabling SYN-Proxy”

on page 76

“Setting Attack-Rate-Threshold”

on page 76

“Setting SYN-Ack-Window-Size”

on page 77

“Setting Reset-Using-Client-MAC”

on page 77

“Retransmitting TCP SYNs”

on page 77

Advertising
Popular Brands
Popular manuals