Cisco 300 Series Administration Manual page 398

Security
Denial of Service Prevention
STEP 1
STEP 2
STEP 3
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
SYN Protection
The network ports might be used by hackers to attack the device in a SYN attack,
which consumes TCP resources (buffers) and CPU power.
Since the CPU is protected using SCT, TCP traffic to the CPU is limited. However, if
one or more ports are attacked with a high rate of SYN packets, the CPU receives
only the attacker packets, thus creating Denial-of-Service.
When using the SYN protection feature, the CPU counts the SYN packets
ingressing from each network port to the CPU per second.
If the number is higher than the specific, user-defined threshold, a deny SYN with
MAC-to-me rule is applied on the port. This rule is unbound from the port every
user-defined interval (SYN Protection Period).
To configure SYN protection:
Click Security > Denial of Service Prevention > SYN Protection.
Enter the parameters.
• Block SYN-FIN Packets—Select to enable the feature. All TCP packets with
both SYN and FIN flags are dropped on all ports.
• SYN Protection Mode—Select between three modes:
- Disable—The feature is disabled on a specific interface.
- Report—Generates a SYSLOG message.The status of the port is
changed to Attacked when the threshold is passed.
- Block and Report—When a TCP SYN attack is identified, TCP SYN
packets destined for the system are dropped and the status of the port is
changed to Blocked.
• SYN Protection Threshold—Number of SYN packets per second before
SYN packets will be blocked (deny SYN with MAC-to-me rule will be applied
on the port).
• SYN Protection Period—Time in seconds before unblocking the SYN
packets (the deny SYN with MAC-to-me rule is unbound from the port).
Click Apply. SYN protection is defined, and the Running Configuration file is
updated.
The SYN Protection Interface Table displays the following fields for every port or
LAG (as requested by the user)
18
361