Table of Contents
Advertisement
Normal Request with Delayed Binding
Client
Client sends a SYN request
Client sends an ACK or DATA REQ
DoS SYN Attack with Delayed Binding
Client
Client sends a SYN request
Client sends new SYN requests
Figure 6-10 Repelling DoS SYN Attacks With Delayed Binding
Once the Web switch receives a valid ACK or DATA REQ from the client, the Web switch
sends a SYN request to the server on behalf of the client, waits for the server to respond with a
SYN ACK, and then forwards the clients DATA REQ to the server. Basically, the Web switch
delays binding the client session to the server until the proper handshakes are complete.
Thus, with delayed binding, two independent TCP connections span a Web session: one from
the client to the Web switch and the second from the Web switch to the selected server. The
switch temporarily terminates each TCP connection until content has been received, thus pre-
venting the server from being inundated with SYN requests.
N
OTE
are used. However, if you are not parsing content, you must explicitly enable delayed binding
if desired.
212777-A, February 2002
Internet
Switch responds with special SYN ACK
Server responds with DATA and switch splices connection to client
Internet
Switch responds with special SYN ACK
Switch responds with another SYN ACK
–
Delayed binding is automatically enabled when content intelligent switching features
Web OS 10.0 Application Guide
Web Switch
Switch recognizes valid three-way handshake
Switch sends a SYN request to server
Server responds with SYN ACK
Switch sends ACK or DATA REQ
Web Switch
No session entry is made until a valid
three-way handshake is complete.
Switch and server resources are
protected for legitimate requests
Chapter 6: Server Load Balancing
Server
Server
n
147
Advertisement
Table of Contents
