Brocade ADX – DoS Protection

Summary

The Brocade ADX provides DoS protection within the hardware layer. This allows for a much greater total of DoS attacks to be processed.
Such attacks that are recognised and protected against at the hardware layer are : 

  • deny-all fragments
  • Fin-with-no-ack
  • icmp-fragment
  • ip-option
  • land-attack
  • large-icmp
  • ping-of-death
  • syn-and-fin-set
  • syn-fragments
  • TCP-no-flags
  • unknown-ip-protocol
  • xmas-tree

At a software layer the following attacks are recognised :

  • address-sweep
  • filter-sip
  • generic
  • icmp-type
  • port-scan

Application Security Features

SYN-Defense

This feature allows the Brocade ADX to complete the TCP three way handshake on behalf of the user. Both the SYN and SYN ACK of the 3 way handshake are passed through as normal but the final ACK is sent from the ADX. If no ACK is received from the client then the ADX sends a RST to the server in order to terminate the connection.
The main benefit of this feature is to allow the server to move the connection into its established queue which is much larger.

SYN-Proxy

The ADX proxies the entire 3 way handshake. The connection is then only proxied onto the server if it has been fully established. This can be configured either globally or on each interface using the command ip tcp syn-proxy […].

Transaction Rate Limiting

Transaction Rate Limiting allows you to set the maximum total of connections on a per client and per port basis.

Connection Rate Control (CRC)

CRC allows you to define the maximum number of new connections that are forwarded to a real server.

Rick Donato

Want to become a networking expert?

Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial