Brocade Communications Systems 12.4.00a Manual Do Utilizador
124
ServerIron ADX Security Guide
53-1002440-03
DDoS protection
5
TABLE 11
Output Descriptions for show server syn-cookie
DDoS protection
A Distributed Denial of Service (DDoS) attack is employed to cause a denial of service to legitimate
users by consuming all or most of the CPU and memory resources on a ServerIron ADX or on real
servers. The ServerIron ADX provides protection and prevents well-known DDoS attacks such as
Xmas-tree attack, syn fragment, address sweep and others. The ServerIron ADX prevents these
attacks by defining filters for each type of attack coupled with a drop or log action. These filters are
then bound to an interface. All packets that match the filter on the bound interface are dropped or
logged as defined in the configuration. Filters can be defined according to a generic rule as shown
in
users by consuming all or most of the CPU and memory resources on a ServerIron ADX or on real
servers. The ServerIron ADX provides protection and prevents well-known DDoS attacks such as
Xmas-tree attack, syn fragment, address sweep and others. The ServerIron ADX prevents these
attacks by defining filters for each type of attack coupled with a drop or log action. These filters are
then bound to an interface. All packets that match the filter on the bound interface are dropped or
logged as defined in the configuration. Filters can be defined according to a generic rule as shown
in
on page 125 or applied from built-in rules as described in Table 13,
The following sections describe how to configure a security filter, define rules within a security filter
and bind a security filter to an interface.
and bind a security filter to an interface.
•
•
•
•
•
•
•
•
Field
Description
CPU SYNs rcvd
AXP SYNs rcvd
Number of SYNs received on ServerIron ADX ports that have the Syn-Proxy feature
enabled.
enabled.
CPU SYN-ACKs sent
AXP SYN-ACKs sent
Number of SYN ACKs sent from the ServerIron ADX to the client
CPU Valid ACKs rcvd
AXP Valid ACKs rcvd
Number of valid ACKs received from the client.
Invalid ACKs rcvd
Number or invalid ACKs received from the client.
ACL passed
Number of ACL lookups that the ServerIron ADX passed.
ACL failed
Number of ACL lookups that the ServerIron ADX denied.
Frags allowed
Number of fragmented packets allowed.
Frags dropped
Number of fragmented packets dropped.
ACK without datp dro:
Invalid vport