Allied Telesis AT-S63 User Manual
Chapter 14: Denial of Service Defenses
164
Section II: Advanced Operations
SYN Flood Attack
In this type of attack, an attacker sends a large number of TCP connection
requests (TCP SYN packets) with bogus source addresses to the victim.
The victim responds with acknowledgements (SYN ACK packets), but
because the original source addresses are bogus, the victim node does
not receive any replies. If the attacker sends enough requests in a short
enough period, the victim may freeze operations when the number of
requests exceeds the capacity of its connections queue.
requests (TCP SYN packets) with bogus source addresses to the victim.
The victim responds with acknowledgements (SYN ACK packets), but
because the original source addresses are bogus, the victim node does
not receive any replies. If the attacker sends enough requests in a short
enough period, the victim may freeze operations when the number of
requests exceeds the capacity of its connections queue.
To defend against this form of attack, a switch port monitors the number of
ingress TCP connection requests it receives. If a port receives more than
60 requests per second, the following occurs.
ingress TCP connection requests it receives. If a port receives more than
60 requests per second, the following occurs.
The switch sends an SNMP trap to the management stations
The switch port is blocked for one minute.
This defense mechanism does not involve the switch’s CPU. You can
activate it on some or all of the ports without impacting switch
performance.
activate it on some or all of the ports without impacting switch
performance.