PowerConnect B-Series FCX Configuration Guide
1341
53-1002266-01
Protecting against TCP SYN attacks
38
The burst-max <value> paramter can be from 1 through 100,000 packets per second.
The lockup <value> parameter can be from 1 through 10,000 seconds.
This command is supported on Ethernet and Layer 3 interfaces.
The number of incoming ICMP packets per second is measured and compared to the threshold
values as follows:
•
If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are
dropped.
•
If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for
the number of seconds specified by the lockup value. When the lockup period expires, the
packet counter is reset and measurement is restarted.
In the example, if the number of ICMP packets received per second exceeds 5,000, the excess
packets are dropped. If the number of ICMP packets received per second exceeds 10,000, the
device drops all ICMP packets for the next 300 seconds (5 minutes).
Protecting against TCP SYN attacks
TCP SYN attacks
exploit the process of how TCP connections are established to disrupt normal
traffic flow. When a TCP connection starts, the connecting host first sends a TCP SYN packet to the
destination host. The destination host responds with a SYN ACK packet, and the connecting host
sends back an ACK packet. This process, known as a “TCP three-way handshake,” establishes the
TCP connection.
While waiting for the connecting host to send an ACK packet, the destination host keeps track of
the as-yet incomplete TCP connection in a connection queue. When the ACK packet is received,
information about the connection is removed from the connection queue. Usually there is not
much time between the destination host sending a SYN ACK packet and the source host sending
an ACK packet, so the connection queue clears quickly.
In a TCP SYN attack, an attacker floods a host with TCP SYN packets that have random source IP
addresses. For each of these TCP SYN packets, the destination host responds with a SYN ACK
packet and adds information to the connection queue. However, because the source host does not
exist, no ACK packet is sent back to the destination host, and an entry remains in the connection
queue until it ages out (after approximately a minute). If the attacker sends enough TCP SYN
packets, the connection queue can fill up, and service can be denied to legitimate TCP
connections.
To protect against TCP SYN attacks, you can configure the Dell PowerConnect device to drop TCP
SYN packets when excessive numbers are encountered. You can set threshold values for TCP SYN
packets that are targeted at the router itself or passing through an interface, and drop them when
the thresholds are exceeded.
For example, to set threshold values for TCP SYN packets targeted at the router, enter the following
command in global CONFIG mode.
PowerConnect(config)#ip tcp burst-normal 10 burst-max 100 lockup 300
To set threshold values for TCP SYN packets received on interface 3/11, enter the following
commands.
PowerConnect(config)#interface ethernet 3/11
PowerConnect(config-if-e1000-3/11)#ip tcp burst-normal 10 burst-max 100 lockup
300
Содержание PowerConnect B-FCXs
Страница 1: ...53 1002266 01 18 March 2011 PowerConnect B Series FCX Configuration Guide ...
Страница 136: ...94 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Viewing information about software licenses 4 ...
Страница 228: ...186 PowerConnect B Series FCX Configuration Guide 53 1002266 01 PowerConnect B Series FCX hitless stacking 5 ...
Страница 229: ...PowerConnect B Series FCX Configuration Guide 187 53 1002266 01 PowerConnect B Series FCX hitless stacking 5 ...
Страница 230: ...188 PowerConnect B Series FCX Configuration Guide 53 1002266 01 PowerConnect B Series FCX hitless stacking 5 ...
Страница 248: ...206 PowerConnect B Series FCX Configuration Guide 53 1002266 01 IPv6 management commands 7 ...
Страница 346: ...304 PowerConnect B Series FCX Configuration Guide 53 1002266 01 802 1s Multiple Spanning Tree Protocol 8 ...
Страница 374: ...332 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Jumbo frame support 9 ...
Страница 424: ...382 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Virtual Switch Redundancy Protocol VSRP 10 ...
Страница 568: ...526 PowerConnect B Series FCX Configuration Guide 53 1002266 01 CLI examples 14 ...
Страница 588: ...546 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Sample application 15 ...
Страница 674: ...632 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Enabling or disabling layer 2 switching 19 ...
Страница 684: ...642 PowerConnect B Series FCX Configuration Guide 53 1002266 01 VLAN based mirroring 20 ...
Страница 724: ...682 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Reading CDP packets 23 ...
Страница 768: ...726 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Clearing cached LLDP neighbor information 24 ...
Страница 930: ...888 PowerConnect B Series FCX Configuration Guide 53 1002266 01 26 ...
Страница 948: ...906 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Configuring MLD snooping 27 ...
Страница 962: ...920 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Displaying CPU utilization statistics 28 ...
Страница 1022: ...980 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Displaying OSPF information 29 ...
Страница 1142: ...1100 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Clearing diagnostic buffers 30 ...
Страница 1258: ...1216 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Using Secure copy with SSH2 33 ...
Страница 1314: ...1272 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Displaying port security information 35 ...
Страница 1348: ...1306 PowerConnect B Series FCX Configuration Guide 53 1002266 01 Example configurations 36 ...
Страница 1406: ...1364 PowerConnect B Series FCX Configuration Guide 53 1002266 01 IP source guard 39 ...
Страница 1422: ...1380 PowerConnect B Series FCX Configuration Guide 53 1002266 01 SNMP v3 Configuration examples 40 ...