Configuring Syn-Proxy Auto Control - Brocade Communications Systems ServerIron ADX 12.4.00a Security Manual

5
Configuring Syn-Proxy
TABLE 9
IPv6
IPv4 Jumbo

Configuring Syn-Proxy auto control

Syn-proxy auto control operates the same as the normal Syn-proxy feature except that it is enabled
and disabled based-on the arrival rate of TCP SYN packets on the ServerIron ADX. This is described
in "Syn-Proxy auto control"
ServerIron ADX for Syn-proxy auto control.
1. Set the SYN-Proxy auto control threshold levels – This procedure described in
2. Set the interval time for counting TCP SYN packets – This procedure described in
3. Define Syn-Proxy on an in-bound interface – This is described in Step 2 of the procedure for
Considerations for configuring Syn-proxy auto control
The following details concerning operation of the Syn-proxy feature should be considered when
configuring the Syn-proxy auto control feature on a ServerIron ADX:
•
•
Setting the SYN-Proxy auto control thresholds
To activate Syn-Proxy auto control, follow these steps:
Globally enable Syn-Proxy auto control by setting the thresholds for enabling and disabling
Syn-Proxy as shown in the following command.
ServerIronADX(config)# ip tcp syn-proxy on-threshold 1000 off-threshold 500
Syntax: ip tcp syn-proxy on-threshold <on-threshold-value> off-threshold <off-threshold-value>
The on-threshold parameter is used to define the rate of syns received per-second (specified by the
<on-threshold-value> variable) at which the Syn-Proxy feature is enabled on the ServerIron ADX.
120
MSS values for IPv4, IPv6 and IPv4 jumbo
MSS value
64, 236, 516, 946, 1004, 1420, 1432, 1440
256, 536, 966, 1024, 1452, 1460, 4038, 8960
on page 113. The following steps describe how to configure your
SYN-Proxy auto control thresholds"
disabling Syn-Proxy during operation of the ServerIron ADX.
interval time for counting TCP SYN packets"
thresholds set in Step 1 are evaluated.
"Enabling SYN-Proxy" on page 114.
All traffic including SLB and pass-through traffic is brought to a BP. Consequently, regardless of
whether or not an interface has the syn-proxy feature enabled, if the threshold set for the rate
of syns received per-second is exceeded for all ports on a ServerIron ADX, Syn-proxy auto
control is enabled and will stay enabled as long as the rate remains above the configured
off-threshold value.
For interfaces that do not have the syn-proxy feature enabled, there will not be any syn attack
protection even when Syn-proxy is enabled through auto control. Consequently, for the
Syn-proxy auto control feature to work as expected, we recommend that syn-proxy be enabled
on all interfaces.
on page 120, sets the thresholds for enabling and
on page 121, sets the time period over which the
"Setting the
"Setting the
ServerIron ADX Security Guide
53-1002440-03