Denial Of Service Protection; Configuring Simulated Denial Of Service Protection - Extreme Networks ExtremeWare XOS Guide Manual

Security

Denial of Service Protection

A Denial-of-Service (DoS) attack occurs when a critical network or computing resource is overwhelmed
and rendered inoperative in a way that legitimate requests for service cannot succeed. In its simplest
form, a Denial of Service attack is indistinguishable from normal heavy traffic. There are some
operations in any switch or router that are more costly than others, and although normal traffic is not a
problem, exception traffic must be handled by the switch's CPU in software.
Some packets that the switch processes in the CPU software include:
Learning new traffic (BlackDiamond 10K switch only; the BlackDiamond 8800 family of switches and
●
the Summit X450 switch learn in hardware)
Routing and control protocols including ICMP, BGP, OSPF, STP, EAPS, ESRP, and so forth
●
Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, and so forth)
●
Other packets directed to the switch that must be discarded by the CPU
●
If any one of these functions is overwhelmed, the CPU may be too busy to service other functions and
switch performance will suffer. Even with very fast CPUs, there will always be ways to overwhelm the
CPU with packets requiring costly processing.
DoS Protection is designed to help prevent this degraded performance by attempting to characterize the
problem and filter out the offending traffic so that other functions can continue. When a flood of CPU
bound packets reach the switch, DoS Protection will count these packets. When the packet count nears
the alert threshold, packets headers will be saved. If the threshold is reached, then these headers are
analyzed, and a hardware access control list (ACL) is created to limit the flow of these packets to the
CPU. This ACL will remain in place to provide relief to the CPU. Periodically, the ACL will expire, and
if the attack is still occurring, it will be re-enabled. With the ACL in place, the CPU will have the cycles
to process legitimate traffic and continue other services.
DoS Protection will send a notification when the notify threshold is reached.
You can also specify some ports as trusted ports, so that DoS protection will not be applied to those
ports.

Configuring Simulated Denial of Service Protection

The conservative way to deploy DoS protection is to use the simulated mode first. In simulated mode,
DoS protection is enabled, but no ACLs are generated. To enable the simulated mode, use the following
command:
enable dos-protect simulated
This mode is useful to gather information about normal traffic levels on the switch. This will assist in
configuring denial of service protection so that legitimate traffic is not blocked.
The remainder of this section describes how to configure DoS protection, including alert thresholds,
notify thresholds, ACL expiration time, and so on.
320
ExtremeWare XOS 11.3 Concepts Guide