Brocade Communications Systems Brocade ICX 6650 6650 User Manual
270
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TCP SYN attacks
Brocade(config)# interface ethernet 1/1/3
Brocade(config-if-e10000-1/1/3)# ip tcp burst-normal 10 burst-max 100 lockup 300
Brocade(config-if-e10000-1/1/3)# ip tcp burst-normal 10 burst-max 100 lockup 300
For Layer 3 router code, if the interface is part of a VLAN that has a router VE, you must configure
TCP/SYN attack protection at the VE level. Otherwise, you can configure this feature at the
interface level as shown in the previous example. When TCP/SYN attack protection is configured at
the VE level, it will apply to routed traffic only. It will not affect switched traffic.
TCP/SYN attack protection at the VE level. Otherwise, you can configure this feature at the
interface level as shown in the previous example. When TCP/SYN attack protection is configured at
the VE level, it will apply to routed traffic only. It will not affect switched traffic.
NOTE
You must configure VLAN information for the port before configuring TCP/SYN attack protection. You
cannot change the VLAN configuration for a port on which TCP/SYN attack protection is enabled.
You must configure VLAN information for the port before configuring TCP/SYN attack protection. You
cannot change the VLAN configuration for a port on which TCP/SYN attack protection is enabled.
To set threshold values for TCP/SYN packets received on VE 31, enter commands such as the
following.
following.
Brocade(config)# interface ve 31
Brocade(config-vif-31)# ip tcp burst-normal 5000 burst-max 10000 lockup 300
Brocade(config-vif-31)# ip tcp burst-normal 5000 burst-max 10000 lockup 300
Syntax: ip tcp burst-normal value burst-max value lockup seconds
NOTE
This command is available at the global CONFIG level on both Chassis devices and Compact devices.
On Chassis devices, this command is available at the Interface level as well. This command is
supported on Ethernet and Layer 3 interfaces.
On Chassis devices, this command is available at the Interface level as well. This command is
supported on Ethernet and Layer 3 interfaces.
The burst-normal value parameter can be from 1 – 100,000 packets per second.
The burst-max value parameter can be from 1 – 100,000 packets per second.
The lockup value parameter can be from 1 – 10,000 seconds.
The number of incoming TCP SYN packets per second is measured and compared to the threshold
values as follows:
values as follows:
•
If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets
are dropped.
are dropped.
•
If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are
dropped for the number of seconds specified by the lockup value. When the lockup period
expires, the packet counter is reset and measurement is restarted.
dropped for the number of seconds specified by the lockup value. When the lockup period
expires, the packet counter is reset and measurement is restarted.
In the example, if the number of TCP SYN packets received per second exceeds 10, the excess
packets are dropped. If the number of TCP SYN packets received per second exceeds 100, the
device drops all TCP SYN packets for the next 300 seconds (5 minutes).
packets are dropped. If the number of TCP SYN packets received per second exceeds 100, the
device drops all TCP SYN packets for the next 300 seconds (5 minutes).
TCP security enhancement
TCP security enhancement improves upon the handling of TCP inbound segments. This
enhancement eliminates or minimizes the possibility of a TCP reset attack, in which a perpetrator
attempts to prematurely terminate an active TCP session, and a data injection attack, wherein an
attacker injects or manipulates data in a TCP connection.
enhancement eliminates or minimizes the possibility of a TCP reset attack, in which a perpetrator
attempts to prematurely terminate an active TCP session, and a data injection attack, wherein an
attacker injects or manipulates data in a TCP connection.
In both cases, the attack is blind, meaning the perpetrator does not have visibility into the content
of the data stream between two devices, but blindly injects traffic. Also, the attacker does not see
the direct effect, the continuing communications between the devices and the impact of the
injected packet, but may see the indirect impact of a terminated or corrupted session.
of the data stream between two devices, but blindly injects traffic. Also, the attacker does not see
the direct effect, the continuing communications between the devices and the impact of the
injected packet, but may see the indirect impact of a terminated or corrupted session.