ACE 30 Load Balancer - Syncookies

alessandropilati78 · ‎12-17-2013

Good morning to all.

I'm enabling a syncookie protection on a Cisco ACE 30 Load Balancer.

I set the value to XX = sum( synbacklog queues of 4 webservers ) * 0.7

so we have the theshold set to 70% of total syn manageable by all webservers

I understood that when the trigger XX is reached ( on the ACE ), this one doesn't forward the Syns to webservers, but it holds in buffer and starts to send syncookie in the SynAck response, holding all embryonic connections subsequent the value of XX.

Questions are the following:

1) How much time it waits for the ACK, after sent the synack ( with syncookie inside ) before it drop the connection.

It makes also synack retries ?

2) How much embrionyc connections ACE can hold ( after value XX is overflowed ) ?

The question is particulary important in the case of synflood attack, to not have the risk of fulfill the "synbacklog queue" ( a linux concept ) on the ACE.

Thank you to all in advance!

Kind regards,

Alessandro

Kanwaljeet Singh · ‎12-17-2013

Hi Alessandro,

Please read below (especially in bold for answers). Let me know if that doesn't answer your questions.

The ACE allows you to protect it and the servers and other hosts in the data center from SYN flood attacks by configuring SYN-cookie-based DoS protection for TCP connections. You configure an embryonic connection threshold, beyond which the ACE applies SYN cookie protection.

When the configured embryonic connection threshold is reached, the ACE intercepts the next SYN packet from a client. The ACE responds to the SYN with a SYN-ACK using a sequence number that is the actual SYN cookie value. The SYN cookie consists of the following:

•A 32-bit timer that increases every 64 seconds.

•An encoding of the client MSS, which the ACE forwards to the server.

•An ACE-selected secret that is calculated from the 4-tuple (source IP address, source port, destination IP address, and destination port) and the timer value.

Normally, if the SYN queue fills up, the ACE drops additional connection requests. If the SYN queue fills up on the ACE with SYN cookies enabled, the ACE continues to service a client request normally by sending a SYN-ACK to the requesting client as if the SYN queue was actually larger. The ACE uses the calculated SYN cookie value as the sequence number (n) and discards the SYN queue entry.

When it receives an ACK (sequence number = n+1) from the client, the ACE verifies the validity of the secret and the SYN cookie value for a recent value of the SYN cookie timer. If the secret or the sequence number is not valid, the ACE drops the packet. If the secret and the sequence number are valid, the ACE rebuilds the SYN queue entry based on the encoded MSS and the ACK from the client. At this point, the connection process proceeds normally; the ACE sends the newly built SYN to the server and establishes the back-end TCP connection.

So i guess if the ACK never comes from client it never bothers but i am not sure what does ACE do with the calculated SYN cookie value and where it stores it and after how much time it discards it. May be it uses the standard embroynic time out connection.

When you configure SYN cookie protection, the ACE calculates the internal embryonic connection threshold value for each network processor (NP) as configured_threshold ÷ 2 (fractions are disregarded). Therefore, you may occasionally observe that SYN cookie protection is applied before the embryonic connection count reaches the configured threshold value. For example, suppose that you configure a threshold value of 4. Because the threshold value is divided by two internally for each NP, the internally calculated threshold is 2. After two incomplete connection attempts (SYNs) are sent to the same NP, the ACE activates SYN cookie protection and intercepts the third SYN going to that NP.