Configuration Guide User guide

FastIron Configuration Guide 1921

53-1002494-02

Chapter

DoS Attack Protection

Table 316 lists individual Brocade switches and the DoS protection features they support. These

features are supported in the Layer 2, base Layer 3, edge Layer 3, and full Layer 3 software

images, except where noted.

This chapter explains how to protect your Brocade devices from Denial of Service (DoS) attacks.

In a Denial of Service (DoS) attack, a router is flooded with useless packets, hindering normal

operation. Brocade devices include measures for defending against two types of DoS attacks

Smurf attacks and TCP SYN attacks.

Smurf attacks

A Smurf attack is a kind of DoS attack in which an attacker causes a victim to be flooded with

Internet Control Message Protocol (ICMP) echo (Ping) replies sent from another network.

Figure 209 illustrates how a Smurf attack works.

FIGURE 209 How a Smurf attack floods a victim with ICMP replies

TABLE 316 Supported DoS protection features

Feature FESX

FSX 800

FSX 1600

FWS FCX ICX 6610 ICX 6430

ICX 6450

Smurf attack (ICMP attack) protection Yes Yes Yes Yes Yes

TCP SYN attack protection Yes Yes Yes Yes Yes

Attacker

Intermediary

Victim

Attacker sends ICMP echo requests to

broadcast address on Intermediary’s

network, spoofing Victim’s IP address

as the source

If Intermediary has directed broadcast

forwarding enabled, ICPM echo requests

are broadcast to hosts on Intermediary’s

network

The hosts on Intermediary’s network

send replies to Victim, inundating Victim