Table of Contents
Advertisement
Web OS 10.0 Application Guide
Delayed Binding
The delayed binding feature on the switch prevents SYN Denial-of-Service (DoS) attacks on
the server. DoS occurs when the server or switch is denied servicing the client because it is sat-
urated with invalid traffic.
Typically, a three-way handshake occurs before a client connects to a server. The client sends
out a synchronization (SYN) request to the server. The server allocates an area to process the
client requests, and acknowledges the client by sending a SYN ACK. The client then acknowl-
edges the SYN ACK by sending an acknowledgement (ACK) back to the server, thus complet-
ing the three-way handshake.
Figure 6-9 on page 146
acknowledge the server's SYN ACK with a data request (REQ) and, instead, sends another
SYN request, the server gets saturated with SYN requests. As a result, all of the servers
resources are consumed and it can no longer service legitimate client requests.
Normal Request
Client
DoS SYN Attack
Client
Figure 6-9 DoS SYN Attacks without Delayed Binding
Using an Alteon Web switch with delayed binding, as illustrated in
the Web switch intercepts the client SYN request before it reaches the server. The Web switch
responds to the client with a SYN ACK that contains embedded client information. The Web
switch does not allocate a session until a valid SYN ACK is received from the client or the
three-way handshake is complete.
n
146
Chapter 6: Server Load Balancing
illustrates a classic type of SYN DoS attack. If the client does not
Client sends a SYN request
Server reserves session and sends SYN ACK
Client sends an ACK or DATA REQ
Client sends a SYN request
Server reserves session and sends SYN ACK
Client ignores SYN ACK and continues to send new SYN requests
Server responds with DATA
Server continues reserving sessions.
Server is eventually saturated and
cannot process legitimate requests.
Figure 6-10 on page
Server
Server
147,
212777-A, February 2002
Advertisement
Table of Contents
