Syn Protection - Cisco 350XG series Administration Manual

Security
Denial of Service Prevention
STEP 6
STEP 7
STEP 1
STEP 2
Cisco 350XG & 550XG Series 10G Stackable Managed Switches
• Invasor Trojan—Discards TCP packets with destination TCP port equal to
2140 and source TCP port equal to 1024.
• Back Orifice Trojan—Discards UDP packets with destination UDP port
equal to 31337 and source UDP port equal to 1024.
Click the following as required:
• Martian Addresses—Click Edit to go to the
• SYN Filtering—Click Edit to go to the
• SYN Rate Protection—(In Layer 2 only) Click Edit to go to the
Protection page.
• ICMP Filtering—Click Edit to go to the
• IP Fragmented—Click Edit to go to the
Click Apply. The Denial of Service prevention Security Suite settings are written to
the Running Configuration file.

SYN Protection

The network ports might be used by hackers to attack the device in a SYN attack,
which consumes TCP resources (buffers) and CPU power.
Since the CPU is protected using SCT, TCP traffic to the CPU is limited. However, if
one or more ports are attacked with a high rate of SYN packets, the CPU receives
only the attacker packets, thus creating Denial-of-Service.
When using the SYN protection feature, the CPU counts the SYN packets
ingressing from each network port to the CPU per second.
If the number is higher than the specific, user-defined threshold, a deny SYN with
MAC-to-me rule is applied on the port. This rule is unbound from the port every
user-defined interval (SYN Protection Period).
To configure SYN protection:
Click Security > Denial of Service Prevention > SYN Protection.
Enter the parameters.
• Block SYN-FIN Packets—Select to enable the feature. All TCP packets with
both SYN and FIN flags are dropped on all ports.
Martian Addresses
SYN Filtering page.
ICMP Filtering page.
IP Fragmented Filtering
19
page.
SYN Rate
page.
435