Enhanced dos attack prevention for ipv6 – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Multi-Service IronWare Security Configuration Guide

333

53-1003035-02

Protecting against TCP SYN attacks

9

The burst-max value can be from 1 – 100000.

The lockup value can be from 1 – 10000.

The no option removes the configuration and UDP rate limiting is disabled.

The number of incoming UDP packets per second is measured and compared to the threshold
values as follows:apply to the individual service

•

If the number of UDP packets exceeds the burst-normal value, the excess UDP packets are
dropped.

•

If the number of UDP packets exceeds the burst-max value, all UDP packets are dropped for
the number of seconds specified by the lockup value. When the lockup period expires, the
packet counter is reset and measurement is restarted.

Enhanced DOS attack prevention for IPv6

IPv6 was introduced to increase the address space. When an IPv6 packet is received, the device
broadcast their IPv6 addresses to help clients find and connect to an IPv6 subnet. This created the
possibility of DoS attack involving flooding the network segment with random RAs, which consumes
CPU resources.

To rate limit the IPv6 subnet packets so the CPU is not overloaded, enter a command such as the
following,

Brocade(config)# ipv6 rate-limit subnet policy-map

Syntax: [no]ipv6 rate-limit subnet policy-map policy-map

The policy-map parameter specifies the policy map named in the policy-map variable to be used to
provide parameters for rate limiting the port and VLAN specified. This command is only used when
configuring traffic policing to a port using a policy map as described in “Applying traffic policing
parameters using a policy map” on page 547.