Ddos protection – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 138

Advertising

124

ServerIron ADX Security Guide

53-1002440-03

DDoS protection

TABLE 11

Output Descriptions for show server syn-cookie

DDoS protection

A Distributed Denial of Service (DDoS) attack is employed to cause a denial of service to legitimate
users by consuming all or most of the CPU and memory resources on a ServerIron ADX or on real
servers. The ServerIron ADX provides protection and prevents well-known DDoS attacks such as
Xmas-tree attack, syn fragment, address sweep and others. The ServerIron ADX prevents these
attacks by defining filters for each type of attack coupled with a drop or log action. These filters are
then bound to an interface. All packets that match the filter on the bound interface are dropped or
logged as defined in the configuration. Filters can be defined according to a generic rule as shown
in

“Configuring a Generic Rule”

on page 125 or applied from built-in rules as described in Table 13,

Table 15 , Table 16 and Table 17. Filters are applied to IPv4 and IPv6 traffic where appropriate.

The following sections describe how to configure a security filter, define rules within a security filter
and bind a security filter to an interface.

•

“Configuring a security filter”

on page 125

•

“Configuring a Generic Rule”

on page 125

•

“Configuring a rule for common attack types”