Extreme Networks

Sarafa_Ibrahim · ‎06-29-2017

I enabled HostDos on the S6 chassis switch to drop SYN FLOOD packets over 1000pps threshold, but these packets still bypass the switch as they hit the firewall LAN interface - I am running the SYN Flood test locally. I checked the logs and there were no hits on the HostDos stats menu for SynFlood. Please I need insights into this. What could be wrong? I set the threshold on the firewall to 1200pps and I confirmed the S6 was blacklisted as SYN packets received were over 1200pps - which tells me the S6 did not drop those packets when it got hit by them.

Thank you for your time.

Sarafa_Ibrahim · ‎06-29-2017

Thanks Erik!

Erik_Auerswald · ‎06-29-2017

You would need to classify the traffic on TCP flags and then apply a rate limiter. I do not think this is supported on the S-Series.

Another problem is that above classification matches any TCP SYN packet and does not separate by source IP. That would limit the number of connections per second to the server, not just SYN floods.

Routers, firewalls or other security appliances implementing SYN flood protection in software are a better solution than using a switch. The switch is supposed to deliver all the traffic at line rate...

Sarafa_Ibrahim · ‎06-29-2017

Okay. Thank you for clarifying that. Is there any way to get around this though?

Erik_Auerswald · ‎06-29-2017

Hi,

the HostDoS feature protects against attacks target at the switch itself only, not against attacks passing through the switch towards another target.

Thanks,
Erik

Sarafa_Ibrahim · ‎06-29-2017

Thank you for your response. I did not quite follow what you mean by "host complex". Could you elaborate on that? thanks

Extreme Networks

HostDos no functioning as expected on Enterasys/Extreme S6 Model

HostDos no functioning as expected on Enterasys/Extreme S6 Model