Brocade Communications Systems 12.4.00a Manual De Usuario

DDoS protection

5

TABLE 11

Output Descriptions for show server syn-cookie

DDoS protection

A Distributed Denial of Service (DDoS) attack is employed to cause a denial of service to legitimate 
users by consuming all or most of the CPU and memory resources on a ServerIron ADX or on real 
servers. The ServerIron ADX provides protection and prevents well-known DDoS attacks such as 
Xmas-tree attack, syn fragment, address sweep and others. The ServerIron ADX prevents these 
attacks by defining filters for each type of attack coupled with a drop or log action. These filters are 
then bound to an interface. All packets that match the filter on the bound interface are dropped or 
logged as defined in the configuration. Filters can be defined according to a generic rule as shown 
in 

 on page 125 or applied from built-in rules as described in Table 13, 

Table 15, Table 16 and Table 17. Filters are applied to IPv4 and IPv6 traffic where appropriate.

The following sections describe how to configure a security filter, define rules within a security filter 
and bind a security filter to an interface.

•

•

•

•

•

•

•

•

Field

Description

CPU SYNs rcvd

AXP SYNs rcvd

Number of SYNs received on ServerIron ADX ports that have the Syn-Proxy feature 
enabled.

CPU SYN-ACKs sent

AXP SYN-ACKs sent

Number of SYN ACKs sent from the ServerIron ADX to the client

CPU Valid ACKs rcvd

AXP Valid ACKs rcvd

Number of valid ACKs received from the client.

Invalid ACKs rcvd

Number or invalid ACKs received from the client.

ACL passed

Number of ACL lookups that the ServerIron ADX passed.

ACL failed

Number of ACL lookups that the ServerIron ADX denied.

Frags allowed

Number of fragmented packets allowed.

Frags dropped

Number of fragmented packets dropped.

ACK without datp dro:

Invalid vport