Security
Denial of Service Prevention
370 Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
17
STEP 7 Click Apply. The Denial of Service prevention Security Suite settings are written to the
Running Configuration file.
SYN Protection
The network ports might be used by hackers to attack the device in a SYN attack, which
consumes TCP resources (buffers) and CPU power.
Since the CPU is protected using SCT, TCP traffic to the CPU is limited. However, if one or
more ports are attacked with a high rate of SYN packets, the CPU receives only the attacker
packets, thus creating Denial-of-Service.
When using the SYN protection feature, the CPU counts the SYN packets ingressing from
each network port to the CPU per second.
If the number is higher than the specific, user-defined threshold, a deny SYN with MAC-to-me
rule is applied on the port. This rule is unbound from the port every user-defined interval
(SYN Protection Period).
To configure SYN protection:
STEP 1 Click Security > Denial of Service Prevention > SYN Protection.
STEP 2 Enter the parameters.
• Block SYN-FIN Packets—Select to enable the feature. All TCP packets with both
SYN and FIN flags are dropped on all ports.
• SYN Protection Mode—Select between three modes:
- Disable—The feature is disabled on a specific interface.
- Report—Generates a SYSLOG message.The status of the port is changed to
Attacked when the threshold is passed.
- Block and Report—When a TCP SYN attack is identified, TCP SYN packets
destined for the system are dropped and the status of the port is changed to Blocked.
• SYN Protection Threshold—Number of SYN packets per second before SYN packets
will be blocked (deny SYN with MAC-to-me rule will be applied on the port).
• SYN Protection Period—Time in seconds before unblocking the SYN packets (the
deny SYN with MAC-to-me rule is unbound from the port).
STEP 3 Click Apply. SYN protection is defined, and the Running Configuration file is updated.
To Next Page
Loading...
Need help?
General
