Setting a minimum mss value for syn-ack packets, Limiting syn-proxy feature to defined vips, Setting the source mac address – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 131: Limiting the syn-proxy feature to vip traffic only, Dropping ack packets with no data

Advertising
background image

ServerIron ADX Security Guide

117

53-1002440-03

Configuring Syn-Proxy

5

Limiting syn-proxy feature to defined VIPs

With this feature enabled, the syn packets are dropped if a virtual server IP port is not defined
under a VIP configuration. This feature is enabled with the following command.

ServerIronADX(config)# server syn-cookie-check-vport

Syntax: [no] server syn-cookie-check-vport

Setting the source MAC address

With this feature enabled, the SYN-ACK reply packets will have their source MAC address set to the
MAC address of the ServerIron ADX. This can be helpful to avoid flooding in the case of a SYN to
unknown uncast or broadcast address. This feature is enabled with the following command.

ServerIronADX(config)# server syn-cookie-set-sa

Syntax: [no] server syn-cookie-set-sa

Limiting the syn-proxy feature to VIP traffic only

This feature directs the ServerIron ADX to apply the Syn-Proxy feature to VIP traffic only (not to
pass-through traffic). This feature is enabled with the following command.

ServerIronADX(config)# server security-on-vip-only

Syntax: [no] server security-on-vip-only

Dropping ACK packets with no data

This feature applies where Syn-Proxy is enabled. Configuring this feature causes ACK packets with
no data to be dropped after the ServerIron ADX responds witha SYN-ACK to the client SYN. An ACK
packet with data is forwarded to the BP and processed by the BP.

This feature is enabled with the following command.

ServerIronADX(config)# server virtual-name-or-ip www.altergo.com 207.95.55.1

ServerIronADX(config-vs-www.alterego.com)# port http drop-ack-with-no-data

Syntax: [no] port <tcp/udp-port > drop-ack-with-no-data

This feature is helpful in the event of a real SYN attack with a valid ACK packet sent but with no
data packets afterwards

Setting a minimum MSS value for SYN-ACK packets

The default condition of the ServerIron ADX is to generate SYN-ACK packets with a Maximum
Segment Size (MSS) that is equal or nearly equal to the client’s MSS value. This process disregards
the MSS value of the server. This can result in dropped packets or other unexpected behavior in
situations where the MSS value of the server is smaller than the MSS value of the client.

This feature allows you to set the MSS value for SYN-ACK packets generated by the ServerIron ADX
regardless of the client’s MSS value. A minimum MSS value can be enabled in any of the following
configurations:

Global level – configures the TCP MSS value at the global level

Advertising
Popular Brands
Popular manuals