Device Syslog History - Extreme Networks EPICenter Guide Manual

Concepts and solutions guide

Hide thumbs Also See for EPICenter Guide:

Reference manual (580 pages)

Software installation manual (546 pages)

Manual (268 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

Table of Contents

Managing Network Security

switch or router that are more costly than others, and although normal traffic is not a problem,

exception traffic must be handled by the switch's CPU in software.

Some packets that the switch processes in the CPU software include:

• Learning new traffic

• Routing and control protocols including ICMP, BGP and OSPF

• Switch management traffic (switch access by Telnet, SSH, HTTP, SNMP, etc.)

• Other packets directed to the switch that must be discarded by the CPU

If any one of these functions is overwhelmed, the CPU may become too busy to service other functions

and switch performance will suffer. Even with very fast CPUs, there will always be ways to overwhelm

the CPU by with packets requiring costly processing.

DoS Protection is designed to help prevent this degraded performance by attempting to characterize the

problem and filter out the offending traffic so that other functions can continue. When a flood of

packets is received from the switch, DoS Protection will count these packets. When the packet count

nears the alert threshold, packets headers are saved. If the threshold is reached, then these headers are

analyzed, and a hardware access control list (ACL) is created to limit the flow of these packets to the

CPU. With the ACL in place, the CPU will have the cycles to process legitimate traffic and continue

other services.

Once DoS Protection is setup on the switches, you could define an Alarm for the traps "DOS Threshold

cleared" and "DOS Threshold reached", and have it take an action such as an Email notification or

sending a page to a network administrator.

Refer to the ExtremeWare Software User Guide for information on configuring DoS Protection on your

Extreme Networks switches.

Another example would be to detect a TCP SYN flood as indicating a potential DoS attack. A SYN flood

occurs when a malicious entity sends a flood of TCP SYN packets to a host. For each of these SYN

requests, the host reserves system resources for the potential TCP connection. If many of these SYN

packets are received, the victim host runs out of resources, effectively denying service to any legitimate

TCP connection.

Using the Alarms Manager, you can detect a potential SYN flood by defining a threshold alarm, using a

delta rising threshold rule on the TCP-MIB object tcpPassiveOpens. If this MIB object rises quickly in a

short delta period, the system may be under a DoS attack.

See "Using the EPICenter Alarm System" on page 41 for more information about creating alarms such

as these.