Configuring Denial Of Service Protection - Extreme Networks ExtremeWare XOS Guide Manual

Security
hardware at wire speed. However, there are some operations in any switch or router that are more
costly than others, and although normal traffic is not a problem, exception traffic must be handled by
the switch's CPU in software.
Some packets that the switch processes in the CPU software include:
learning new traffic
●
routing and control protocols including ICMP, BGP and OSPF
●
switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, etc...)
●
other packets directed to the switch that must be discarded by the CPU
●
If any one of these functions is overwhelmed, the CPU may be too busy to service other functions and
switch performance will suffer. Even with very fast CPUs, there will always be ways to overwhelm the
CPU with packets requiring costly processing.
DoS Protection is designed to help prevent this degraded performance by attempting to characterize the
problem and filter out the offending traffic so that other functions can continue. When a flood of
packets is received from the switch, DoS Protection will count these packets. When the packet count
nears the alert threshold, packets headers will be saved. If the threshold is reached, then these headers
are analyzed, and a hardware access control list (ACL) is created to limit the flow of these packets to the
CPU. This ACL will remain in place to provide relief to the CPU. Periodically, the ACL will expire, and
if the attack is still occurring, it will be re-enabled. With the ACL in place, the CPU will have the cycles
to process legitimate traffic and continue other services.
DoS Protection will send a notification when the notify threshold is reached.
You can also specify some ports as trusted ports, so that DoS protection will not be applied to those
ports.

Configuring Denial of Service Protection

To enable or disable DoS protection, use the following commands:
enable dos-protect
disable dos-protect
After enabling DoS protection, the switch will count the packets handled by the CPU and periodically
evaluate whether to send a notification and/or create an ACL to block offending traffic. You can
configure a number of the values used by DoS protection if the default values are not appropriate for
your situation. The values that you can configure are:
interval—How often, in seconds, the switch evaluates the DoS counter (default: 1 second)
●
alert threshold—The number of packets received in an interval that will generate an ACL (default:
●
4000 packets)
notify threshold—The number of packets received in an interval that will generate a notice (default:
●
3500 packets)
ACL expiration time—The amount of time, in seconds, that the ACL will remain in place (default: 5
●
seconds)
To configure the interval at which the switch checks for DoS attacks, use the following command:
configure dos-protect interval <seconds>
ExtremeWare XOS 11.1 Concepts Guide
240