topic RE: DoS-Protect Implementation Issue... in ExtremeSwitching (EXOS/Switch Engine)

DoS-Protect Implementation Issue...

Thavamani_Shanm — Thu, 01 Sep 2016 12:39:00 GMT

We are facing some issue with TCP Synflood in our Network. Now we are trying to implement DoS-Protect to prevent this.

We have enabled the DoS-Protect in Extreme Switch. But, we are not getting any logs related to DoS-Protect.

But, We have check the Port Utilization in flooded ports. It shows 100% bandwidth utilisation. But, No logs related to DoS-Protect.

Please help us resolve this issue.

RE: DoS-Protect Implementation Issue...

André_Herkenrat — Thu, 01 Sep 2016 13:23:00 GMT

Which Switch is it ?
Which Software is it running ?
Can you post the part of the config that is related to DoS-Protect ?

BR
André

RE: DoS-Protect Implementation Issue...

Henrique — Thu, 01 Sep 2016 17:32:00 GMT

Hi Thavamani, DoS Protect is not based on port utilization. It's based on amount os pps processed by switch CPU.

Maybe you should decrease the default values for DoS threshold.

You can find the command in the link below:

http://documentation.extremenetworks.com/exos_commands_16/exos_16_2/exos_commands_all/r_configure-do...

Another option to check the amount os pps for specific traffic is through Clear-Flow.

Please see an example in the article below:

https://gtacknowledge.extremenetworks.com/articles/How_To/Using-clear-flow-to-log-when-there-is-mali...

You can find other options to use in the Clear-Flow rule in EXOS User Guide (that's for EXOS 16.2, but you can download the User Guide based on your EXOS version):

http://documentation.extremenetworks.com/exos_16/EXOS_16_2/Preface/c_introduction.shtml

RE: DoS-Protect Implementation Issue...

Erik_Auerswald — Thu, 01 Sep 2016 18:37:00 GMT

Hi Thavamani,

the DoS Protect feature of EXOS is intended to protect the EXOS switch itself from DoS attacks. It cannot be used to protect (other devices in) the network.

To protect other devices, you could look into clear flow, as written above by Henrique.

I assume you are using EXOS based switches, as the EOS calls its "DoS Protect" feature "HostDOS".

Best regards,
Erik

RE: DoS-Protect Implementation Issue...

Thavamani_Shanm — Sun, 16 Oct 2016 12:41:00 GMT

Sir,

Sorry for the delayed response. Now, I have cleared in dos-protect.
So, We are moving to clear-flow option. We are trying to create a policy file to deny syn floods.

Please check the below file. We are getting error while adding to the access list. Actually our need is, going to count the syn packets and planned to drop the syn if more than the specified level.

entry syndeny {
if {
protocol TCP;
TCP-Flags SYN;
}
then {
count syndeny;
}
}
entry deny_notifiy{
if match all{
delta syndeny >3000
period 1;
}
then {
deny;
}
}

But, It showing error. I am a beginner to write a Policy file. Please help me resolve the issue.

RE: DoS-Protect Implementation Issue...

Stephane_Grosj1 — Sun, 16 Oct 2016 13:31:00 GMT

entry tcpSynFloodacl {
if {
protocol TCP;
tcp-flags SYN;
}
then {
count tcpsyncounter;
}
}

# TCP SYN Flood CLEAR-Floow rules.
entry tcpSynFloodflowMAX {
if {
delta tcpsyncounter > 100000;
period 2;
hysteresis 99000;
}
then {
syslog "TCP SYN FLOOD traffic exceeded Maximum Threshold, clearFlow rule $ruleName, applying rate limit for $policyName on VLAN $vlanName" WARN;
qosprofile tcpSynFloodacl QP3;
}
else {
syslog "TCP SYN FLOOD traffic dropped below Maximum Threshold, clearFlow rule $ruleName, removing rate limit for $policyName on VLAN $vlanName" WARN;
qosprofile tcpSynFloodacl QP1;
}
}

entry tcpSynFloodflowMin {
if {
delta tcpsyncounter > 1000;
period 2;
hysteresis 900;
}
then {
syslog "TCP SYN FLOOD traffic exceeded Minimum Threshold, clearFlow rule $ruleName, mirroring traffic for $policyName on VLAN $vlanName" WARN;
mirror add tcpSynFloodacl;
}
else {
syslog "TCP SYN FLOOD traffic dropped below Minimum Threshold, clearFlow rule $ruleName, removing mirror from $policyName on VLAN $vlanName" WARN;
mirror delete tcpSynFloodacl;
}
}