[prev in list] [next in list] [prev in thread] [next in thread]
List: foundry-nsp
Subject: Re: [f-nsp] DoS max-conns setting on ServerIron
From: "Jamie Dahl" <jamied () meatball ! net>
Date: 2007-02-07 5:00:56
Message-ID: 4137.172.19.68.3.1170824456.squirrel () mail ! meatball ! net
[Download RAW message or body]
are you running in DSR mode?
IF you're running in INLINE mode, setup syn-proxy *syn cookie protection*
and set that on the inbound interface..
example
ip tcp syn-proxy 10 (wait no more then 10 seconds for a response on the
Syn-ACK)
int x/x
ip tcp syn-proxy in
Also another global setting you can use..(and this is global not for a
single source host)
you can setup the following options as well:
SLB-telnet@switch(config)#ip tcp
burst-normal Number of packets per second in normal burst mode
conn-rate
conn-rate-change
keepalive TCP keep alive timer configuration
syn-proxy enable syn proxy on system
tcp-security Enable TCP security described in
draft-ietf-tcpm-tcpsecure-00.txt
trans-rate enable transaction rate limiting on the system
OR
SLB-telnet@switch(config)#ip icmp
burst-normal Number of packets per second in normal burst mode
trans-rate enable transaction rate limiting on the system
I WILL CAVEAT THE FOLLOWING..
These do not work correctly in 9.3.x as we've seen those commands have
some to little effect on a high rate syn attack against some of our VIPS
(> 200kpps against a single IP), but the effect we'd hope for. If you are
running 9.4.x your mileage may be better. Also 9.4 has a few more TCP
options that can be tweaked as well for better syn/dos protection.
Also those commands work best in INLINE mode and not DSR.
anyway good luck
On Tue, February 6, 2007 11:02, pablo Estavio wrote:
> Hello,
>
> Does anyone know if the ServerIron (chassis, not XL) can limit the
> max-connection (not rate of connections) from a single client IP address?
> We are trying to devise a way to limit total connections on an client IP
> address bassis so that a client cannot open many http connections to a
> single server.
>
> Thanks,
>
> Pablo
> _______________________________________________
> foundry-nsp mailing list
> foundry-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/foundry-nsp
>
--
Jamie Dahl
"Thousands of tired, nerve-shaken, over-civilized people are beginning to
find out that going to the mountains is going home; that wilderness is a
necessity; and that mountain parks and reservations are useful not only as
fountains of timber and irrigating rivers, but as fountains of life."
--John Muir
_______________________________________________
foundry-nsp mailing list
foundry-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/foundry-nsp
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic