Denial Of Service Protection; Configuring Denial Of Service Protection - Extreme Networks ExtremeWare 7.2e Installation And User Manual

Security

Denial of Service Protection

A Denial-of-Service (DoS) attack occurs when a critical network or computing resource is overwhelmed
and rendered inoperative in a way that legitimate requests for service cannot succeed. In its simplest
form, a Denial of Service attack is indistinguishable from normal heavy traffic. The Summit 400 switch
is not vulnerable to this simple attack because it is designed to process packets in hardware at wire
speed. However, there are some operations in any switch or router that are more costly than others, and
although normal traffic is not a problem, exception traffic must be handled by the switch's CPU in
software.
Some packets that the switch processes in the CPU software include:
• Learning new traffic
• Routing and control protocols including ICMP and OSPF
• Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, etc...)
• Other packets directed to the switch that must be discarded by the CPU
If any one of these functions is overwhelmed, the CPU can be too busy to service other functions and
cause switch performance to suffer. Even with the fast CPU of the Summit 400, there are ways to
overwhelm the CPU with packets requiring costly processing.
DoS Protection is designed to help prevent this degraded performance by attempting to characterize the
problem and filter out the offending traffic so that other functions can continue. It is the responsibility
of DoS Protection to count packets when the switch receives a flood of packets. If the count reaches the
threshold, then the flow of these packets to the CPU is blocked.

Configuring Denial of Service Protection

DoS Protection is not enabled on the Summit 400 as a default. To start protecting the switch from attack,
first determine what ports are at risk and set limits for the traffic on those ports. Use the following
command to identify those ports and to configure the alert-threshold, also known as the disable
threshold:
configure cpu-dos-protect [ports <portnumber> |all] alert-threshold threshold <pkts>
interval-time <seconds>
You can also configure all the ports on the switch to globally implement DoS using the following
default values:
• alert-threshold—150 packets per second
• interval-time—1 seconds
To enable all ports on the switch to use DoS Protection, use the following command:
enable cpu-dos-protect
After enabling DoS Protection, you can use monitor the traffic for the port or the switch by issuing the
following command:
show cpu-dos-protect [ports <portnumber>]
CPU DoS Protection must be enabled for the command to have valid values.
show
168 ExtremeWare 7.2e Installation and User Guide