beautypg.com

Setting the time range for a valid ack packet, Limiting syn-proxy feature to defined vips, Setting the source mac address – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 90: Limiting the syn-proxy feature to vip traffic only

background image

78

Brocade Virtual ADX Security Guide

53-1003250-01

Configuring Syn-Proxy

5

Retransmitting the SYN to the server in this way allows the server to respond in case the initial
SYNs sent by the Brocade Virtual ADX are lost, without having to reset the connection with the
client. The Brocade Virtual ADX can retransmit SYNs for up to 65,536 pending connections
concurrently.

This functionality is enabled by default when you enable syn-proxy. No CLI configuration is
necessary. The output of show tcp-attack displays information about SYN retransmissions.

Setting the time range for a valid ACK packet

This feature sets a timer factor that determines the time range to accept a valid ACK packet. This
feature is configured with the following command.

Virtual ADX(config)#ip tcp syn-proxy ack-validate-multiplier 3

Syntax: [no] ip tcp syn-proxy ack-validate-multiplier timer factor

The timer factor variable provides the contents of the timer factor in the following equation used to
determine the time range used:

(timer factor +1) * 8 seconds

Example where the timer factor is set to 3.

The valid window is 3 + 1) * 8 = 32 seconds

Since we check the ACK packet using HASH data from two windows, the MAX time is 64 seconds.

Where the timer factor is set to 3, this HASH value will change every 32 seconds.

As a result, the valid ACK range = (timer factor +1) * 8 seconds * 2

Limiting syn-proxy feature to defined VIPs

With this feature enabled, the SYN packets are dropped if a virtual server IP port is not defined
under a VIP configuration. This feature is enabled with the following command.

Virtual ADX(config)#server syn-cookie-check-vport

Syntax: [no] server syn-cookie-check-vport

Setting the source MAC address

With this feature enabled, the SYN-ACK reply packets will have their source MAC address set to the
MAC address of the Brocade Virtual ADX. This can be helpful to avoid flooding in the case of a SYN
to unknown unicast or broadcast address. This feature is enabled with the following command.

Virtual ADX(config)#server syn-cookie-set-sa

Syntax: [no] server syn-cookie-set-sa

Limiting the syn-proxy feature to VIP traffic only

This feature directs the Brocade Virtual ADX to apply the Syn-Proxy feature to VIP traffic only (not to
pass-through traffic). This feature is enabled with the following command.

Virtual ADX(config)#server security-on-vip-only

Syntax: [no] server security-on-vip-only

See also other documents in the category Brocade Computer Accessories: