Setting a minimum mss value for syn-ack packets, Dropping ack packets with no data, Hierarchy of operation – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 91

Advertising
background image

Brocade Virtual ADX Security Guide

79

53-1003250-01

Configuring Syn-Proxy

5

Dropping ACK packets with no data

This feature applies where Syn-Proxy is enabled. Configuring this feature causes ACK packets with
no data to be dropped after the Brocade Virtual ADX responds with a SYN-ACK to the client SYN. An
ACK packet with data is forwarded to the BP and processed by the BP.

This feature is enabled with the following command.

Virtual ADX(config)#server virtual-name-or-ip www.example1.com 10.95.55.1

Virtual ADX(config-vs-www.example1.com)#port http drop-ack-with-no-data

Syntax: [no] port tcp|udp-port drop-ack-with-no-data

This feature is helpful in the event of a real SYN attack with a valid ACK packet sent but with no
data packets afterwards.

Setting a minimum MSS value for SYN-ACK packets

The default condition of the Brocade Virtual ADX is to generate SYN-ACK packets with a Maximum
Segment Size (MSS) that is equal or nearly equal to the client MSS value. This process disregards
the MSS value of the server. This can result in dropped packets or other unexpected behavior in
situations where the MSS value of the server is smaller than the MSS value of the client.

This feature allows you to set the MSS value for SYN-ACK packets generated by the Brocade Virtual
ADX regardless of the client MSS value. A minimum MSS value can be enabled in any of the
following configurations:

Global level – configures the TCP MSS value at the global level

Virtual server lever – configures the TCP MSS value for all virtual ports under a specified virtual
server

Virtual port level – configures the TCP MSS value for a specified virtual port

Destination IP – configures the TCP MSS value for pass-through traffic to a specified
destination IP address

NOTE

The tcp-mss command will work when syn-proxy is enabled. If syn-proxy is turned off, the tcp-mss
command will not take effect.

If the configured minimum MSS is larger than the client's actual MSS value, the Brocade Virtual
ADX will use the client's MSS value in SYN-ACK.

Hierarchy of operation

When multiple levels of the minimum MSS value are configured, the MSS value used by the
Brocade Virtual ADX is determined by the following hierarchy.

1. Virtual Port Level – Values configured at this level take precedence over any other MSS setting

on the Brocade Virtual ADX.

2. Virtual Server level – Only values configured at the Virtual Port level take precedence over MSS

values configured at this level.

Advertising
Popular Brands
Popular manuals