Brocade Communications Systems 12.4.00a Manual De Usuario
ServerIron ADX Security Guide
113
53-1002440-03
Chapter
5
Syn-Proxy and DoS Protection
This chapter describes how to configure Syn-Proxy and DOS protection features on the ServerIron
ADX Traffic Managers.
ADX Traffic Managers.
Understanding Syn-Proxy
Syn-Proxy™ allows TCP connections to be terminated on the ServerIron ADX. When Syn-Proxy is
enabled, the ServerIron ADX completes the three-way handshake with a connecting client. Only
when the three-way handshake is completed does the ServerIron ADX establish a connection with
the destination server and forward packets from the client to the server.
enabled, the ServerIron ADX completes the three-way handshake with a connecting client. Only
when the three-way handshake is completed does the ServerIron ADX establish a connection with
the destination server and forward packets from the client to the server.
In a TCP SYN attack, the attacker floods a host with TCP SYN packets. The host replies with
SYN-ACK packets, but the attacker does not send the ACK packet. The handshake remains
incomplete, and the host goes into a perpetual wait-state for it to be completed. As a result, the
resources available for TCP connections are rapidly depleted and the host is unable to accept any
further TCP connections.
SYN-ACK packets, but the attacker does not send the ACK packet. The handshake remains
incomplete, and the host goes into a perpetual wait-state for it to be completed. As a result, the
resources available for TCP connections are rapidly depleted and the host is unable to accept any
further TCP connections.
ServerIron ADX prevents these types of attacks by sitting in between the host and attacker. When
an attacker sends the SYN packet, ServerIron ADX receives it and replies to it with SYN-ACK. If the
attacker doesn’t send an ACK to the ServerIron ADX, the handshake isn’t completed with the
ServerIron ADX. In this situation, the server never receives any packets from the attacking client
and is oblivious to the attack.
an attacker sends the SYN packet, ServerIron ADX receives it and replies to it with SYN-ACK. If the
attacker doesn’t send an ACK to the ServerIron ADX, the handshake isn’t completed with the
ServerIron ADX. In this situation, the server never receives any packets from the attacking client
and is oblivious to the attack.
If the SYN is from a valid client and not an attacker, ServerIron ADX completes the handshake and
forwards the SYN to the host. ServerIron ADX creates a session at this time; only when the
three-way handshake is complete.
forwards the SYN to the host. ServerIron ADX creates a session at this time; only when the
three-way handshake is complete.
NOTE
In software syn-proxy, throughput for syn-attack is 1.18Mbps per core.
Syn-Proxy auto control
Syn-Proxy can be explicitly enabled or disabled through a CLI command or setup to be
automatically enabled when the TCP SYN packet arrival rate exceeds a configured threshold or
disabled when the TCP SYN packet arrival rate falls below a configured threshold.
automatically enabled when the TCP SYN packet arrival rate exceeds a configured threshold or
disabled when the TCP SYN packet arrival rate falls below a configured threshold.
Difference between ServerIron ADX and JetCore Syn-Proxy Behavior
ServerIron ADX and JetCore-based ServerIron devices show different behavior with TCP Syn-Proxy.
A ServerIron ADX drops TCP SYN ACKs entering an interface where tcp syn-proxy is configured
unless it can match those SYN ACKs to an existing session. The JetCore-based ServerIron devices
forward them through. The behaviour of the ServerIron ADX provides enhanced protection against
SYN attacks relative to the protection available from JetCore-based ServerIron devices.
unless it can match those SYN ACKs to an existing session. The JetCore-based ServerIron devices
forward them through. The behaviour of the ServerIron ADX provides enhanced protection against
SYN attacks relative to the protection available from JetCore-based ServerIron devices.