Brocade Communications Systems 12.4.00a 用户手册
ServerIron ADX Security Guide
121
53-1002440-03
Configuring Syn-Proxy
5
The on-threshold-value variable is used with the on-threshold parameter and specifies the
number of TCP SYN packets received per-second. When this value is exceeded for an interval
time defined by the server syn-attack-detection-interval command, Syn Proxy is enabled on the
ServerIron ADX. This value should be set to a much higher value than the normal TCP SYN
packet arrival rate.
number of TCP SYN packets received per-second. When this value is exceeded for an interval
time defined by the server syn-attack-detection-interval command, Syn Proxy is enabled on the
ServerIron ADX. This value should be set to a much higher value than the normal TCP SYN
packet arrival rate.
The off-threshold parameter is used to define the rate of syns per-second (specified by the
<off-threshold-value> variable) at which the Syn-proxy feature is disabled (after being previously
enabled) on the ServerIron ADX.
<off-threshold-value> variable) at which the Syn-proxy feature is disabled (after being previously
enabled) on the ServerIron ADX.
The off-threshold-value variable is used with the off-threshold parameter and specifies the
number of TCP SYN packets received per-second. When the rate received drops below this
value, the ServerIron ADX waits ten seconds and then disables Syn-proxy. The
<off-threshold-value >variable must be less than the <on-threshold-value> variable.
number of TCP SYN packets received per-second. When the rate received drops below this
value, the ServerIron ADX waits ten seconds and then disables Syn-proxy. The
<off-threshold-value >variable must be less than the <on-threshold-value> variable.
Setting the interval time for counting TCP SYN packets
The rate at which Syn-proxy is enabled and disabled is determined by the thresholds set in the ip
tcp syn-proxy on-threshold <on-threshold-value> off-threshold <off-threshold-value> command
over the time period specified in the server syn-attack-detection-interval command. This interval is
configured on the ServerIron ADX as shown in the following.
tcp syn-proxy on-threshold <on-threshold-value> off-threshold <off-threshold-value> command
over the time period specified in the server syn-attack-detection-interval command. This interval is
configured on the ServerIron ADX as shown in the following.
ServerIronADX(config)# server syn-attack-detection-interval 10
Syntax: server syn-attack-detection-interval <detection-interval-value>
The <detection-interval-value> variable defines the interval that is used to define the time for
counting TCP SYN packets. The range of settings for this interval is 1 to 10 with each level
representing 100 ms. Consequently, the interval can be from 100 ms to 1 second. If the interval
value is smaller, the reaction time for enabling Syn-proxy is shorter, and the measurement of the
TCP syn-packet arrival rate is less accurate. If the interval value is larger, the reaction time for
enabling syn-proxy is longer, and the measurement of TCP syn-packet arrival rate is more accurate.
The default interval value is 3 (in effect 300ms).
counting TCP SYN packets. The range of settings for this interval is 1 to 10 with each level
representing 100 ms. Consequently, the interval can be from 100 ms to 1 second. If the interval
value is smaller, the reaction time for enabling Syn-proxy is shorter, and the measurement of the
TCP syn-packet arrival rate is less accurate. If the interval value is larger, the reaction time for
enabling syn-proxy is longer, and the measurement of TCP syn-packet arrival rate is more accurate.
The default interval value is 3 (in effect 300ms).
Displaying Syn-Proxy Commands
This section contains the following sections:
•
•
•