Configuring syn-proxy auto control, Setting the syn-proxy auto control thresholds – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

120

ServerIron ADX Security Guide

53-1002440-03

Configuring Syn-Proxy

5

Configuring Syn-Proxy auto control

Syn-proxy auto control operates the same as the normal Syn-proxy feature except that it is enabled
and disabled based-on the arrival rate of TCP SYN packets on the ServerIron ADX. This is described
in

“Syn-Proxy auto control”

on page 113. The following steps describe how to configure your

ServerIron ADX for Syn-proxy auto control.

1. Set the SYN-Proxy auto control threshold levels – This procedure described in

“Setting the

SYN-Proxy auto control thresholds”

on page 120, sets the thresholds for enabling and

disabling Syn-Proxy during operation of the ServerIron ADX.

2. Set the interval time for counting TCP SYN packets – This procedure described in

“Setting the

interval time for counting TCP SYN packets”

on page 121, sets the time period over which the

thresholds set in Step 1 are evaluated.

3. Define Syn-Proxy on an in-bound interface – This is described in Step 2 of the procedure for

“Enabling SYN-Proxy”

on page 114.

Considerations for configuring Syn-proxy auto control

The following details concerning operation of the Syn-proxy feature should be considered when
configuring the Syn-proxy auto control feature on a ServerIron ADX:

•

All traffic including SLB and pass-through traffic is brought to a BP. Consequently, regardless of
whether or not an interface has the syn-proxy feature enabled, if the threshold set for the rate
of syns received per-second is exceeded for all ports on a ServerIron ADX, Syn-proxy auto
control is enabled and will stay enabled as long as the rate remains above the configured
off-threshold value.

•

For interfaces that do not have the syn-proxy feature enabled, there will not be any syn attack
protection even when Syn-proxy is enabled through auto control. Consequently, for the
Syn-proxy auto control feature to work as expected, we recommend that syn-proxy be enabled
on all interfaces.

Setting the SYN-Proxy auto control thresholds

To activate Syn-Proxy auto control, follow these steps:

Globally enable Syn-Proxy auto control by setting the thresholds for enabling and disabling
Syn-Proxy as shown in the following command.

ServerIronADX(config)# ip tcp syn-proxy on-threshold 1000 off-threshold 500

Syntax: ip tcp syn-proxy on-threshold <on-threshold-value> off-threshold <off-threshold-value>

The on-threshold parameter is used to define the rate of syns received per-second (specified by the
<on-threshold-value> variable) at which the Syn-Proxy feature is enabled on the ServerIron ADX.

IPv6

64, 236, 516, 946, 1004, 1420, 1432, 1440

IPv4 Jumbo

256, 536, 966, 1024, 1452, 1460, 4038, 8960

TABLE 9

MSS values for IPv4, IPv6 and IPv4 jumbo

MSS value