[f-nsp] DoS max-conns setting on ServerIron

Jamie Dahl jamied at meatball.net
Wed Feb 7 00:00:56 EST 2007 

are you running in DSR mode?

IF you're running in INLINE mode, setup syn-proxy *syn cookie protection*
and set that on the inbound interface..

example

ip tcp syn-proxy 10  (wait no more then 10 seconds for a response on the
Syn-ACK)

int x/x
  ip tcp syn-proxy in


Also another global setting you can use..(and this is global not for a
single source host)

you can setup the following options as well:
SLB-telnet at switch(config)#ip tcp
  burst-normal       Number of packets per second in normal burst mode
  conn-rate
  conn-rate-change
  keepalive          TCP keep alive timer configuration
  syn-proxy          enable syn proxy on system
  tcp-security       Enable TCP security described in
                     draft-ietf-tcpm-tcpsecure-00.txt
  trans-rate         enable transaction rate limiting on the system
OR
SLB-telnet at switch(config)#ip icmp
  burst-normal   Number of packets per second in normal burst mode
  trans-rate     enable transaction rate limiting on the system


I WILL CAVEAT THE FOLLOWING..

These do not work correctly in 9.3.x as we've seen those commands have
some to little effect on a high rate syn attack against some of our VIPS
(> 200kpps against a single IP), but the effect we'd hope for.  If you are
running 9.4.x your mileage may be better.  Also 9.4 has  a few more TCP
options that can be tweaked as well for better syn/dos protection.

Also those commands work best in INLINE mode and not DSR.

anyway good luck






On Tue, February 6, 2007 11:02, pablo Estavio wrote:
> Hello,
>
> Does anyone know if the ServerIron (chassis, not XL) can limit the
> max-connection (not rate of connections) from a single client IP address?
> We are trying to devise a way to limit total connections on an client IP
> address bassis so that a client cannot open many http connections to a
> single server.
>
> Thanks,
>
> Pablo
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>


-- 
Jamie Dahl

"Thousands of tired, nerve-shaken, over-civilized people are beginning to
find out that going to the mountains is going home; that wilderness is a
necessity; and that mountain parks and reservations are useful not only as
fountains of timber and irrigating rivers, but as fountains of life."
--John Muir

More information about the foundry-nsp mailing list