[prev in list] [next in list] [prev in thread] [next in thread] 

List:       foundry-nsp
Subject:    Re: [f-nsp] DoS max-conns setting on ServerIron
From:       "Jamie Dahl" <jamied () meatball ! net>
Date:       2007-02-07 5:00:56
Message-ID: 4137.172.19.68.3.1170824456.squirrel () mail ! meatball ! net
[Download RAW message or body]

are you running in DSR mode?

IF you're running in INLINE mode, setup syn-proxy *syn cookie protection*
and set that on the inbound interface..

example

ip tcp syn-proxy 10  (wait no more then 10 seconds for a response on the
Syn-ACK)

int x/x
  ip tcp syn-proxy in


Also another global setting you can use..(and this is global not for a
single source host)

you can setup the following options as well:
SLB-telnet@switch(config)#ip tcp
  burst-normal       Number of packets per second in normal burst mode
  conn-rate
  conn-rate-change
  keepalive          TCP keep alive timer configuration
  syn-proxy          enable syn proxy on system
  tcp-security       Enable TCP security described in
                     draft-ietf-tcpm-tcpsecure-00.txt
  trans-rate         enable transaction rate limiting on the system
OR
SLB-telnet@switch(config)#ip icmp
  burst-normal   Number of packets per second in normal burst mode
  trans-rate     enable transaction rate limiting on the system


I WILL CAVEAT THE FOLLOWING..

These do not work correctly in 9.3.x as we've seen those commands have
some to little effect on a high rate syn attack against some of our VIPS
(> 200kpps against a single IP), but the effect we'd hope for.  If you are
running 9.4.x your mileage may be better.  Also 9.4 has  a few more TCP
options that can be tweaked as well for better syn/dos protection.

Also those commands work best in INLINE mode and not DSR.

anyway good luck






On Tue, February 6, 2007 11:02, pablo Estavio wrote:
> Hello,
>
> Does anyone know if the ServerIron (chassis, not XL) can limit the
> max-connection (not rate of connections) from a single client IP address?
> We are trying to devise a way to limit total connections on an client IP
> address bassis so that a client cannot open many http connections to a
> single server.
>
> Thanks,
>
> Pablo
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>


-- 
Jamie Dahl

"Thousands of tired, nerve-shaken, over-civilized people are beginning to
find out that going to the mountains is going home; that wilderness is a
necessity; and that mountain parks and reservations are useful not only as
fountains of timber and irrigating rivers, but as fountains of life."
--John Muir


_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic