beautypg.com

Setting the syn-proxy auto control thresholds – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 94

background image

82

Brocade Virtual ADX Security Guide

53-1003250-01

Configuring Syn-Proxy

5

1. Set the SYN-Proxy auto control threshold levels – This procedure described in

“Setting the

SYN-Proxy auto control thresholds”

on page 82, sets the thresholds for enabling and disabling

Syn-Proxy during operation of the Brocade Virtual ADX.

2. Set the interval time for counting TCP SYN packets – This procedure described in

“Setting the

interval time for counting TCP SYN packets”

on page 83, sets the time period over which the

thresholds set in Step 1 are evaluated.

3. Define Syn-Proxy on an in-bound interface – This is described in Step 2 of the procedure for

“Enabling SYN-Proxy”

on page 76.

Considerations for configuring Syn-proxy auto control

The following details concerning operation of the Syn-proxy feature should be considered when
configuring the Syn-proxy auto control feature on a Brocade Virtual ADX:

All traffic including SLB and pass-through traffic is brought to a BP. Consequently, regardless of
whether or not an interface has the syn-proxy feature enabled, if the threshold set for the rate
of synchronizations received per-second is exceeded for all ports on a Brocade Virtual ADX,
Syn-proxy auto control is enabled and will stay enabled as long as the rate remains above the
configured off-threshold value.

For interfaces that do not have the syn-proxy feature enabled, there will not be any SYN attack
protection even when Syn-proxy is enabled through auto control. Consequently, for the
Syn-proxy auto control feature to work as expected, we recommend that syn-proxy be enabled
on all interfaces.

Setting the SYN-Proxy auto control thresholds

To activate Syn-Proxy auto control, follow these steps:

Globally enable Syn-Proxy auto control by setting the thresholds for enabling and disabling
Syn-Proxy as shown in the following command.

Virtual ADX(config)#ip tcp syn-proxy on-threshold 1000 off-threshold 500

Syntax: ip tcp syn-proxy on-threshold on-threshold-value off-threshold off-threshold-value

The on-threshold parameter is used to define the rate of SYNs received per-second (specified by
the on-threshold-value variable) at which the Syn-Proxy feature is enabled on the Brocade Virtual
ADX.

The on-threshold-value variable is used with the on-threshold parameter and specifies the
number of TCP SYN packets received per-second. When this value is exceeded for an interval
time defined by the server syn-attack-detection-interval command, Syn Proxy is enabled on the
Brocade Virtual ADX. This value should be set to a much higher value than the normal TCP SYN
packet arrival rate.

The off-threshold parameter is used to define the rate of synchronizations per-second (specified by
the off-threshold-value variable) at which the Syn-proxy feature is disabled (after being previously
enabled) on the Brocade Virtual ADX.

The off-threshold-value variable is used with the off-threshold parameter and specifies the
number of TCP SYN packets received per-second. When the rate received drops below this
value, the Brocade Virtual ADX waits ten seconds and then disables Syn-proxy. The
off-threshold-value variable must be less than the on-threshold-value variable.

See also other documents in the category Brocade Computer Accessories: