Granular application of syn-proxy feature, Syn-def, Introduction – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

2

ServerIron ADX Security Guide

53-1002440-03

Granular application of syn-proxy feature

1

•

ServerIron may accept the ACK during 33 seconds to 64 seconds due to the syn-proxy
algorithm, but it does not accept the ACK after 64 seconds.

•

If you enter a value for the ip tcp syn-proxy <value> command from the CLI or upgrade from an
older release such as 09.4.x to 09.5.2a with the ip tcp syn-proxy <value> command in the
config file, you receive the following warning message.

Warning: The value 10 is being ignored.

Default ACK validate time of 32 seconds will be used.

To change the MSL value, issue 'server msl <value>'.

Granular application of syn-proxy feature

This feature applies to ServerIron ADX Syn-Proxy. When this feature is enabled, traffic destined to a
virtual server IP is denied if the destination port is not defined under any of the virtual server
definitions.

This feature prevents ServerIron ADX from responding with TCP SYN-ACK to TCP SYN for ports not
defined under VIP.

Use the following command to validate traffic against a configured virtual port.

ServerIronADX(config)# server syn-cookie-check-vport

Syntax: [no] server syn-cookie-check-vport

Syn-def

Introduction

Use SYN-def (also known as SYN-Defense) to protect the hosts behind the ServerIron (not the
ServerIron itself) by the ServerIron to complete the TCP three-way handshake on behalf of a
connecting client. There is no SYN-cookie functionality with SYN-def.

NOTE

SYN-Defense is recommened for only where Direct Server Return (DSR) is used. DSR is not
supported with SYN-proxy and is supported with SYN-def. For non DSR scenarios, use Syn-Proxy only.

show server traffic

Use the show server traffic command to display information about the number of times the
incomplete connection threshold was reached.