Enabling syn-proxy, Setting attack-rate-threshold – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 88

Advertising
background image

76

Brocade Virtual ADX Security Guide

53-1003250-01

Configuring Syn-Proxy

5

NOTE

In a syn-proxy configuration for a local client, if an ARP entry for the client is not stored, the first TCP
connection may need to retransmit none-syn packets since it may get dropped until the Brocade
Virtual ADX stores an ARP entry for the client. There will only be a performance impact for the very
first connection.

NOTE

DSR is not supported with SYN-proxy and is supported with SYN-def.

Enabling SYN-Proxy

To activate Syn-Proxy, follow these steps:

1. Globally enable Syn-Proxy, using the following command:

Virtual ADX(config)#ip tcp syn-proxy

Syntax: ip tcp syn-proxy

NOTE

The ip tcp syn-proxy command must be executed at the global configuration level. If it is
executed at the interface configuration level it will not take effect.

2. Configure a port and enter the interface configuration mode, using the following commands:

Virtual ADX(config)#interface ethernet 2/1

Virtual ADX(config-if-e1000-2/1)#ip tcp syn-proxy in

Syntax: interface ethernet slot number/port number

Syntax: ip tcp syn-proxy in

The ip tcp syn-proxy command can be configured for either a physical interface (as shown) or a
ve interface.

Setting Attack-Rate-Threshold

A DoS attack threshold specifies the number of SYNs, without corresponding ACKs, the Brocade
Virtual ADX accepts before writing a warning message to the system log (every 60 seconds for the
duration of the attack).

To configure a threshold value for the SYN attack rate, use the following command:

Virtual ADX(config)#server syn-cookie-attack-rate-threshold 2000

Syntax: server syn-cookie-attack-rate-threshold threshold value

The threshold variable is a number between 1 and 10000000. The default is 1000.

NOTE

If you do not configure a threshold, the Brocade Virtual ADX does not write SYN attack messages to
the log file.

If the number of SYNs (without corresponding ACKs), received on the Brocade Virtual ADX exceeds
the specified threshold of 2000, the Brocade Virtual ADX writes the following message to the log
file every 60 seconds for the duration of the attack:

"CRITICAL: syn-cookie attack rate 2005 exceeds attack rate threshold 2000"

Advertising
Popular Brands
Popular manuals