beautypg.com

Enabling denial of service attack protection – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 267

background image

configure the Filter-ID (type 11) attribute on the RADIUS server. The Filter-ID attribute specifies the
name or number of the Brocade IP ACL.

The following is the syntax for configuring the Filter-ID attribute on the RADIUS server to refer to a
Brocade IP ACL.

Value

Description

ip.number .in

2

Applies the specified numbered ACL to the authenticated port in the inbound direction.

ip.name .in 1 ,

3

Applies the specified named ACL to the authenticated port in the inbound direction.

The following table lists examples of values you can assign to the Filter-ID attribute on the RADIUS
server to refer to IP ACLs configured on a Brocade device.

Possible values for the filter ID attribute on the RADIUS
server

ACLs configured on the Brocade device

ip.102.in

access-list 102 permit ip 36.0.0.0 0.255.255.255 any

ip.fdry_filter.in

ip access-list extended foundry_filter

permit ip 36.0.0.0 0.255.255.255 any

Enabling denial of service attack protection

The Brocade device does not start forwarding traffic from an authenticated MAC address in hardware
until the RADIUS server authenticates the MAC address; traffic from the non-authenticated MAC
addresses is sent to the CPU. A denial of service (DoS) attack could be launched against the device
where a high volume of new source MAC addresses is sent to the device, causing the CPU to be
overwhelmed with performing RADIUS authentication for these MAC addresses. In addition, the high
CPU usage in such an attack could prevent the RADIUS response from reaching the CPU in time,
causing the device to make additional authentication attempts.

To limit the susceptibility of the Brocade device to such attacks, you can configure the device to use
multiple RADIUS servers, which can share the load when there are a large number of MAC addresses
that need to be authenticated. The Brocade device can run a maximum of 10 RADIUS clients per server
and will attempt to authenticate with a new RADIUS server if current one times out.

In addition, you can configure the Brocade device to limit the rate of authentication attempts sent to the
RADIUS server. When the multi-device port authentication feature is enabled, it keeps track of the
number of RADIUS authentication attempts made per second. When you also enable the DoS
protection feature, if the number of RADIUS authentication attempts for MAC addresses learned on an
interface per second exceeds a configurable rate (by default 512 authentication attempts per second),
the device considers this a possible DoS attack and disables the port. You must then manually re-
enable the port.

The DoS protection feature is disabled by default. To enable it on an interface, enter commands such
as the following.

device(config)#interface e 3/1

device(config-if-e1000-3/1)#mac-authentication dos-protection enable

2

The ACL must be an extended ACL. Standard ACLs are not supported.

3

The name in the Filter ID attribute is case-sensitive

Enabling denial of service attack protection

FastIron Ethernet Switch Security Configuration Guide

267

53-1003088-03

See also other documents in the category Brocade Computer Accessories: