This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

DoS-Protect Implementation Issue...

DoS-Protect Implementation Issue...

Thavamani_Shanm
New Contributor III

‎09-01-2016 05:39 AM

We are facing some issue with TCP Synflood in our Network. Now we are trying to implement DoS-Protect to prevent this.

We have enabled the DoS-Protect in Extreme Switch. But, we are not getting any logs related to DoS-Protect.

But, We have check the Port Utilization in flooded ports. It shows 100% bandwidth utilisation. But, No logs related to DoS-Protect.

Please help us resolve this issue.
0 Kudos
5 REPLIES 5

Stephane_Grosj1
Extreme Employee

‎10-16-2016 06:31 AM

entry tcpSynFloodacl {
if {
protocol TCP;
tcp-flags SYN;
}
then {
count tcpsyncounter;
}
}

# TCP SYN Flood CLEAR-Floow rules.
entry tcpSynFloodflowMAX {
if {
delta tcpsyncounter > 100000;
period 2;
hysteresis 99000;
}
then {
syslog "TCP SYN FLOOD traffic exceeded Maximum Threshold, clearFlow rule $ruleName, applying rate limit for $policyName on VLAN $vlanName" WARN;
qosprofile tcpSynFloodacl QP3;
}
else {
syslog "TCP SYN FLOOD traffic dropped below Maximum Threshold, clearFlow rule $ruleName, removing rate limit for $policyName on VLAN $vlanName" WARN;
qosprofile tcpSynFloodacl QP1;
}
}

entry tcpSynFloodflowMin {
if {
delta tcpsyncounter > 1000;
period 2;
hysteresis 900;
}
then {
syslog "TCP SYN FLOOD traffic exceeded Minimum Threshold, clearFlow rule $ruleName, mirroring traffic for $policyName on VLAN $vlanName" WARN;
mirror add tcpSynFloodacl;
}
else {
syslog "TCP SYN FLOOD traffic dropped below Minimum Threshold, clearFlow rule $ruleName, removing mirror from $policyName on VLAN $vlanName" WARN;
mirror delete tcpSynFloodacl;
}
}
0 Kudos

Thavamani_Shanm
New Contributor III

‎10-16-2016 05:41 AM

Sir,

Sorry for the delayed response. Now, I have cleared in dos-protect.
So, We are moving to clear-flow option. We are trying to create a policy file to deny syn floods.

Please check the below file. We are getting error while adding to the access list. Actually our need is, going to count the syn packets and planned to drop the syn if more than the specified level.

entry syndeny {
if {
protocol TCP;
TCP-Flags SYN;
}
then {
count syndeny;
}
}
entry deny_notifiy{
if match all{
delta syndeny >3000
period 1;
}
then {
deny;
}
}

But, It showing error. I am a beginner to write a Policy file. Please help me resolve the issue.
0 Kudos

Erik_Auerswald
Contributor II

‎09-01-2016 11:37 AM

Hi Thavamani,

the DoS Protect feature of EXOS is intended to protect the EXOS switch itself from DoS attacks. It cannot be used to protect (other devices in) the network.

To protect other devices, you could look into clear flow, as written above by Henrique.

I assume you are using EXOS based switches, as the EOS calls its "DoS Protect" feature "HostDOS".

Best regards,
Erik
0 Kudos

Henrique
Extreme Employee

‎09-01-2016 10:32 AM

Hi Thavamani, DoS Protect is not based on port utilization. It's based on amount os pps processed by switch CPU.

Maybe you should decrease the default values for DoS threshold.

You can find the command in the link below:

http://documentation.extremenetworks.com/exos_commands_16/exos_16_2/exos_commands_all/r_configure-do...

Another option to check the amount os pps for specific traffic is through Clear-Flow.

Please see an example in the article below:

https://gtacknowledge.extremenetworks.com/articles/How_To/Using-clear-flow-to-log-when-there-is-mali...

You can find other options to use in the Clear-Flow rule in EXOS User Guide (that's for EXOS 16.2, but you can download the User Guide based on your EXOS version):

http://documentation.extremenetworks.com/exos_16/EXOS_16_2/Preface/c_introduction.shtml
0 Kudos
GTM-P2G8KFN