This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: X670 dos-protection
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
X670 dos-protection
X670 dos-protection
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-05-2015 12:33 PM
Hi, as far as I see X670 have a denial of service protection that can be enabled in the config. We are using some x670's in a ERPS-ring withswitching/VLANS (nothing fancy). Some ports on the x670's are used for aggregation from our access plattform, would we gain any form of DDOS protection from enabeling this on those the uplink-ports?
Do anyone use dos-protection in a similar way?
Do anyone use dos-protection in a similar way?
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-11-2016 09:47 AM
Yes we enabled it globally.
I have disabled it now so I do not have any config at the moment.
(15.6.3.1 patch1-5)
I have disabled it now so I do not have any config at the moment.
(15.6.3.1 patch1-5)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-11-2016 09:34 AM
Hi Nobel,
could you clarify if you had enabled anomaly-protection globally?
the output of "show configuration ipsecurity" could help.
Thanks
could you clarify if you had enabled anomaly-protection globally?
the output of "show configuration ipsecurity" could help.
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-10-2016 01:33 PM
Tested anomaly-protection simply by "enable ip-security anomaly-detection", as a result of that L2TP-tunnels stoped working, have anyone heard of a similar issue?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-05-2015 01:56 PM
Nobel, DoS Protection protects the switch's CPU from attacks. Is that what you are looking for?
I may be wrong but It seems to me that you are trying to prevent the ring from propagating DoS attacks and this feature will not help you in doing that.
There's another security feature in the X670 chipset (also present in many other Summit switches) that is often overlooked: Protocol Anomaly Detection.
From the EXOS User Guide v16.1, pag 957:
Protocol Anomaly Protection
The Extreme chipsets contain built-in hardware protocol checkers that support port security features for security applications, such as stateless DoS protection.
The protocol checkers allow users to drop the packets based on the following conditions, which are checked for ingress packets prior to the L2/L3 entry table:
• SIP = DIP for IPv4/IPv6 packets.
• TCP_SYN Flag = 0 for Ipv4/Ipv6 packets
• TCP Packets with control flags = 0 and sequence number = 0 for Ipv4/Ipv6 packets
• TCP Packets with FIN, URG & PSH bits set & seq. number = 0 for Ipv4/Ipv6 packets
• TCP Packets with SYN & FIN bits are set for Ipv4/Ipv6 packets
• TCP Source Port number = TCP Destination Port number for Ipv4/Ipv6 packets
• First TCP fragment does not have the full TCP header (less than 20 bytes) for Ipv4/Ipv6 packets
• TCP header has fragment offset value as 1 for Ipv4/Ipv6 packets
• UDP Source Port number = UDP Destination Port number for Ipv4/Ipv6 packets
• CMP ping packets payload is larger than programmed value of ICMP max size for Ipv4/Ipv6 packets
• Fragmented ICMP packets for Ipv4/Ipv6 packets
The protocol anomaly detection security functionality is supported by a set of anomaly-protection enable, disable, configure, clear, and show CLI commands. For further details, see the ExtremeXOS Command Reference Guide.
Search for anomaly-protection in the EXOS Command Reference to find the commands needed to enable and configure it.
If you enable this, the chipset will discard any traffic entering the switch that presents any of the protocol anomalies configured. Since many of these anomalies are used in exploits, removing them effectively stops the attack.
I may be wrong but It seems to me that you are trying to prevent the ring from propagating DoS attacks and this feature will not help you in doing that.
There's another security feature in the X670 chipset (also present in many other Summit switches) that is often overlooked: Protocol Anomaly Detection.
From the EXOS User Guide v16.1, pag 957:
Protocol Anomaly Protection
The Extreme chipsets contain built-in hardware protocol checkers that support port security features for security applications, such as stateless DoS protection.
The protocol checkers allow users to drop the packets based on the following conditions, which are checked for ingress packets prior to the L2/L3 entry table:
• SIP = DIP for IPv4/IPv6 packets.
• TCP_SYN Flag = 0 for Ipv4/Ipv6 packets
• TCP Packets with control flags = 0 and sequence number = 0 for Ipv4/Ipv6 packets
• TCP Packets with FIN, URG & PSH bits set & seq. number = 0 for Ipv4/Ipv6 packets
• TCP Packets with SYN & FIN bits are set for Ipv4/Ipv6 packets
• TCP Source Port number = TCP Destination Port number for Ipv4/Ipv6 packets
• First TCP fragment does not have the full TCP header (less than 20 bytes) for Ipv4/Ipv6 packets
• TCP header has fragment offset value as 1 for Ipv4/Ipv6 packets
• UDP Source Port number = UDP Destination Port number for Ipv4/Ipv6 packets
• CMP ping packets payload is larger than programmed value of ICMP max size for Ipv4/Ipv6 packets
• Fragmented ICMP packets for Ipv4/Ipv6 packets
The protocol anomaly detection security functionality is supported by a set of anomaly-protection enable, disable, configure, clear, and show CLI commands. For further details, see the ExtremeXOS Command Reference Guide.
Search for anomaly-protection in the EXOS Command Reference to find the commands needed to enable and configure it.
If you enable this, the chipset will discard any traffic entering the switch that presents any of the protocol anomalies configured. Since many of these anomalies are used in exploits, removing them effectively stops the attack.
