Delayed binding, Delayed binding 146, Figure 6-9 – Nortel Networks WEB OS 212777 User Manual
Page 146: Dos syn attacks without delayed binding 146
Web OS 10.0 Application Guide
146
n
Chapter 6: Server Load Balancing
212777-A, February 2002
Delayed Binding
The delayed binding feature on the switch prevents SYN Denial-of-Service (DoS) attacks on
the server. DoS occurs when the server or switch is denied servicing the client because it is sat-
urated with invalid traffic.
Typically, a three-way handshake occurs before a client connects to a server. The client sends
out a synchronization (SYN) request to the server. The server allocates an area to process the
client requests, and acknowledges the client by sending a SYN ACK. The client then acknowl-
edges the SYN ACK by sending an acknowledgement (ACK) back to the server, thus complet-
ing the three-way handshake.
illustrates a classic type of SYN DoS attack. If the client does not
acknowledge the server’s SYN ACK with a data request (REQ) and, instead, sends another
SYN request, the server gets saturated with SYN requests. As a result, all of the servers
resources are consumed and it can no longer service legitimate client requests.
Figure 6-9 DoS SYN Attacks without Delayed Binding
Using an Alteon Web switch with delayed binding, as illustrated in
,
the Web switch intercepts the client SYN request before it reaches the server. The Web switch
responds to the client with a SYN ACK that contains embedded client information. The Web
switch does not allocate a session until a valid SYN ACK is received from the client or the
three-way handshake is complete.
Client
Server
Normal Request
Client sends a SYN request
Server reserves session and sends SYN ACK
Client sends an ACK or DATA REQ
Server responds with DATA
Client
Server
DoS SYN Attack
Client sends a SYN request
Server reserves session and sends SYN ACK
Server continues reserving sessions.
Server is eventually saturated and
cannot process legitimate requests.
Client ignores SYN ACK and continues to send new SYN requests