Manualshelf

Security Guide (Supporting ADX v03.1.00) Instruction Manual

ManualsBrandsBrocade ManualsComputer AccessoriesVirtual ADX
919293949596979899100
Brocade Virtual ADX Security Guide 85
53-1003250-01
DDoS protection
5
Displaying SYN Cookie Information
This show server syn-cookie command displays information about the SYN ACKs that are sent and
received.
Syntax: show server syn-cookie
DDoS protection
A Distributed Denial of Service (DDoS) attack is employed to cause a denial of service to legitimate
users by consuming all or most of the CPU and memory resources on a Brocade Virtual ADX or on
real servers. The Brocade Virtual ADX provides protection and prevents well-known DDoS attacks
such as Xmas-tree attack, SYN fragment, address sweep and others. The Brocade Virtual ADX
prevents these attacks by defining filters for each type of attack coupled with a drop or log action.
These filters are then bound to an interface. All packets that match the filter on the bound interface
are dropped or logged as defined in the configuration. Filters can be defined according to a generic
rule as shown in “Configuring a Generic Rule” on page 86 or applied from built-in rules as
described in Table 10, Table 12, Table 13 and Table 14. Filters are applied to IPv4 and IPv6 traffic
where appropriate.
The following sections describe how to configure a security filter, define rules within a security filter
and bind a security filter to an interface.
“Configuring a security filter” on page 86
“Configuring a Generic Rule” on page 86
“Configuring a rule for common attack types” on page 87
TABLE 8 Output Descriptions for show server syn-cookie
Field Description
CPU SYNs rcvd
CPU SYN-ACKs sent
CPU Valid ACKs rcvd
Invalid ACKs rcvd Number or invalid ACKs received from the client.
ACL passed Number of ACL lookups that the Brocade Virtual ADX passed.
ACL failed Number of ACL lookups that the Brocade Virtual ADX denied.
Frags allowed Number of fragmented packets allowed.
Frags dropped Number of fragmented packets dropped.
ACK without datp dro:
Invalid vport
Virtual ADX#show server syn-cookie
CPU SYNs processed : 0
CPU SYN-ACKs sent : 0
CPU Valid ACKs rcvd : 0
Invalid ACKs rcvd : 0
ACL passed : 0 ACL failed : 0
Frags allowed : 0 Frags dropped : 0
ACK without data dro : 0
Invalid vport : 0