DoS-Protect Implementation Issue...

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
We are facing some issue with TCP Synflood in our Network. Now we are trying to implement DoS-Protect to prevent this.

We have enabled the DoS-Protect in Extreme Switch. But, we are not getting any logs related to DoS-Protect. 

But, We have check the Port Utilization in flooded ports. It shows 100% bandwidth utilisation. But, No logs related to DoS-Protect.

Please help us resolve this issue.
Photo of Thavamani Shanmugam

Thavamani Shanmugam

  • 710 Points 500 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of André Herkenrath

André Herkenrath, Employee

  • 1,962 Points 1k badge 2x thumb
Which Switch is it ?
Which Software is it running ?
Can you post the part of the config that is related to DoS-Protect ?

BR
André
Photo of Henrique

Henrique, Employee

  • 10,342 Points 10k badge 2x thumb
Hi Thavamani, DoS Protect is not based on port utilization. It's based on amount os pps processed by switch CPU.

Maybe you should decrease the default values for DoS threshold.

You can find the command in the link below:

http://documentation.extremenetworks.com/exos_commands_16/exos_16_2/exos_commands_all/r_configure-do... 

Another option to check the amount os pps for specific traffic is through Clear-Flow.

Please see an example in the article below:

https://gtacknowledge.extremenetworks.com/articles/How_To/Using-clear-flow-to-log-when-there-is-mali...

You can find other options to use in the Clear-Flow rule in EXOS User Guide (that's for EXOS 16.2, but you can download the User Guide based on your EXOS version):

http://documentation.extremenetworks.com/exos_16/EXOS_16_2/Preface/c_introduction.shtml
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,772 Points 10k badge 2x thumb
Hi Thavamani,

the DoS Protect feature of EXOS is intended to protect the EXOS switch itself from DoS attacks. It cannot be used to protect (other devices in) the network.

To protect other devices, you could look into clear flow, as written above by Henrique.

I assume you are using EXOS based switches, as the EOS calls its "DoS Protect" feature "HostDOS".

Best regards,
Erik
Photo of Thavamani Shanmugam

Thavamani Shanmugam

  • 710 Points 500 badge 2x thumb
Sir,

Sorry for the delayed response. Now, I have cleared in dos-protect.
So, We are moving to clear-flow option. We are trying to create a policy file to deny syn floods.

Please check the below file. We are getting error while adding to the access list. Actually our need is, going to count the syn packets and planned to drop the syn if more than the specified level.

entry syndeny {
if {
protocol TCP;
TCP-Flags SYN;
}
then {
count syndeny;
}
}
entry deny_notifiy{
if match all{
delta syndeny >3000
period 1;
}
then {
deny;
}
}
 
But, It showing error. I am a beginner to write a Policy file. Please help me resolve the issue.
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,598 Points 10k badge 2x thumb
entry tcpSynFloodacl {
if {
protocol TCP;
tcp-flags SYN;
}
then {
count tcpsyncounter;
}
}

# TCP SYN Flood CLEAR-Floow rules.
entry tcpSynFloodflowMAX {
if {
delta tcpsyncounter > 100000;
period 2;
hysteresis 99000;
}
then {
syslog "TCP SYN FLOOD traffic exceeded Maximum Threshold, clearFlow rule $ruleName, applying rate limit for $policyName on VLAN $vlanName" WARN;
qosprofile tcpSynFloodacl QP3;
}
else {
syslog "TCP SYN FLOOD traffic dropped below Maximum Threshold, clearFlow rule $ruleName, removing rate limit for $policyName on VLAN $vlanName" WARN;
qosprofile tcpSynFloodacl QP1;
}
}

entry tcpSynFloodflowMin {
if {
delta tcpsyncounter > 1000;
period 2;
hysteresis 900;
}
then {
syslog "TCP SYN FLOOD traffic exceeded Minimum Threshold, clearFlow rule $ruleName, mirroring traffic for $policyName on VLAN $vlanName" WARN;
mirror add tcpSynFloodacl;
}
else {
syslog "TCP SYN FLOOD traffic dropped below Minimum Threshold, clearFlow rule $ruleName, removing mirror from $policyName on VLAN $vlanName" WARN;
mirror delete tcpSynFloodacl;
}
}
(Edited)