fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Brocade ADX - DoS Protection

Summary

The Brocade ADX provides DoS protection within the hardware layer. This allows for a much greater total of DoS attacks to be processed.
Such attacks that are recognised and protected against at the hardware layer are : 

  • deny-all fragments
  • Fin-with-no-ack
  • icmp-fragment
  • ip-option
  • land-attack
  • large-icmp
  • ping-of-death
  • syn-and-fin-set
  • syn-fragments
  • TCP-no-flags
  • unknown-ip-protocol
  • xmas-tree

At a software layer the following attacks are recognised :

  • address-sweep
  • filter-sip
  • generic
  • icmp-type
  • port-scan

Application Security Features

SYN-Defense

This feature allows the Brocade ADX to complete the TCP three way handshake on behalf of the user. Both the SYN and SYN ACK of the 3 way handshake are passed through as normal but the final ACK is sent from the ADX. If no ACK is received from the client then the ADX sends a RST to the server in order to terminate the connection.
The main benefit of this feature is to allow the server to move the connection into its established queue which is much larger.

SYN-Proxy

The ADX proxies the entire 3 way handshake. The connection is then only proxied onto the server if it has been fully established. This can be configured either globally or on each interface using the command ip tcp syn-proxy [...].

Transaction Rate Limiting

Transaction Rate Limiting allows you to set the maximum total of connections on a per client and per port basis.

Connection Rate Control (CRC)

CRC allows you to define the maximum number of new connections that are forwarded to a real server.

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001