Cisco 7604 Configuration Manual page 529

Chapter 36 Configuring Denial of Service Protection
Traffic Storm Control
A traffic storm occurs when packets flood the LAN, which creates excessive traffic and degrades
network performance. The traffic storm control feature prevents LAN ports from being disrupted by a
broadcast, multicast, or unicast traffic storm on physical interfaces from either mistakes in network
configurations or from users issuing a DoS attack. Traffic storm control (also called traffic suppression)
monitors incoming traffic levels over a 1-second traffic storm control interval. During the interval, traffic
storm control compares the traffic level with the configured traffic storm control level. The traffic storm
control level is a percentage of the total available bandwidth of the port. Each port has a single traffic
storm control level that is used for all types of traffic (broadcast, multicast, and unicast).
Traffic storm control is configured on an interface and is disabled by default. The configuration example
here enables broadcast address storm control on interface FastEthernet 2/3 to a level of 20 percent. When
the broadcast traffic exceeds the configured level of 20 percent of the total available bandwidth of the
port within a 1-second traffic-storm-control interval, traffic storm control will drop all broadcast traffic
until the end of the traffic-storm-control interval.
Router(config-if)# storm-control broadcast level 20
The Cisco 7600 series router supports broadcast storm control on all LAN ports and multicast and
unicast storm control on Gigabit Ethernet ports.
When two or three suppression modes are configured simultaneously, they share the same level settings.
If broadcast suppression is enabled, and if multicast suppression is also enabled and configured at a
70-percent threshold, the broadcast suppression will also have a setting for 70 percent.
Network Under SYN Attack
A network under a SYN attack is easily recognized. The target host becomes unusually slow, crashes, or
suspends operation. Traffic returned from the target host can also cause trouble on the MSFC because
return traffic goes to randomized source addresses of the original packets, lacks the locality of "real" IP
traffic, and may overflow route caches, or CEF tables.
When the network is under a SYN attack, the TCP intercept feature becomes aggressively defensive.
Two factors determine when aggressive behavior on the router begins and ends:
•
•
Both factors are configured with low and high values.
If the number of incomplete connections exceed 1,100, or the number of connections arriving in the last
one-minute period exceed 1,100, each new arriving connection causes the oldest partial connection (or
a random connection) to be deleted. These are the default values, which can be altered. When either of
the thresholds is exceeded, the TCP intercept assumes the server is under attack and goes into aggressive
mode with the following reactions:
•
•
•
OL-4266-08
The total incomplete connections
Connection requests during the last one-minute sample period
Each new arriving connection causes the oldest partial (or random partial) to be deleted.
The initial retransmission timeout is reduced by half to 0.5 seconds, and so the total time trying to
establish the connection is cut in half.
In watch mode, the watch timeout is reduced by half.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
Understanding How DoS Protection Works
36-13