Re: ACE DDOS Sync Cookie

guan · ‎10-26-2010

Hi,

For Sync Cookie

syn-cookie number

The number is the embryonic connection threshold above which the ACE applies SYN-cookie DoS protection. Enter an integer from 1 to 65535

what is a suggested value for this number? what can be used to judge a reasonable value?

Thanks

Guan

Ivan Kovacevic · ‎10-30-2010

There is no general answer to this question and you have to take into account several factors:

1) If you are doing L4 load-balancing the ACE forwards the SYN immediately to the real server. In this scenario you should know how much beating your reals servers can take. The syn-cookie threshold should be lower that individual serverfarm can handle. Secondary resource that is attacked here is ACE L4 connection number capacity which is 4M.

One more thing to understand here is that when ACE goes into SYN-cookie mode, L7 performance limits are applied. So instead of 300+K cps it can handle ~125K cps.

2) If you are doing L7 LB the ACE will not forward anything to the real server until is sees the first L7 segment which will be used to make a load-balancing decision. Therefore, in this scenario the resource that is attacked is ACE L7 connection number capacity which is 500K.

3) However the most important thing that applies to both 1 and 2 is what is your baseline and what embryonic connection number should be considered to be an anomaly. It is important not to over do it, so for this you would need to track your system a bit and determine max embryonic connection number under normal conditions and set the syn-cookie threshold reasonably above it.

I hope this provides the some guidance.

guan · ‎11-04-2010

Dear Ivan,

Thanks a Looot for the reply, i was not notified somehow by my email...

So how do you determine the max embryonic connection under normal operations?

show conn?

Thanks

Guan

Ivan Kovacevic · ‎11-04-2010

cdn-ace-1/Admin# sh syn

Interface vlan499

Configured TCP Embryonic Connection Limit: 0

Current number of Embryonic Connections: 0

Number of TCP Syns Intercepted by SYN COOKIE: 0

Number of TCP Acks Successfully Processed by SYN COOKIE: 0

Failed Number of TCP Acks Processed by SYN COOKIE: 0

Interface vlan500

Configured TCP Embryonic Connection Limit: 0

Current number of Embryonic Connections: 0

Number of TCP Syns Intercepted by SYN COOKIE: 0

Number of TCP Acks Successfully Processed by SYN COOKIE: 0

Failed Number of TCP Acks Processed by SYN COOKIE: 0

Interface vlan666

Configured TCP Embryonic Connection Limit: 0

Current number of Embryonic Connections: 0

Number of TCP Syns Intercepted by SYN COOKIE: 0

Number of TCP Acks Successfully Processed by SYN COOKIE: 0

Failed Number of TCP Acks Processed by SYN COOKIE: 0

guan · ‎11-04-2010

Dear Ivan,

Here is my output:

Interface vlan2045

Configured TCP Embryonic Connection Limit: 4096

Current number of Embryonic Connections: 0

Number of TCP Syns Intercepted by SYN COOKIE: 0

Number of TCP Acks Successfully Processed by SYN COOKIE: 0

Failed Number of TCP Acks Processed by SYN COOKIE: 61

This is still a test enviroment, but i am already start to see failed acks, does this mean the sync cookies has kicked in already for some reasons?

From above, say if the number of Embryonic Connections at max is about 20000, i will set it to 25000 then.

Cheers

Guan

Ivan Kovacevic · ‎11-11-2010

It doesn't look like the SUN COOKIE was triggered, but on the other hand this output doesn't make much sense. Last two counters should be sum of the third counter "Number of TCP Syns Intercepted by SYN COOKIE". Your output might indicate incorrect behavior or a cosmetic counter inconsistency.

Is this something that is on going all the time or it happened in the past and now it is not increasing? Have you noticed any problems with TCP session establishment? If the last counter is increasing all the time, can you reset all counters with "clear syn-cookie vlan 2045" and check if it continues to increase?

guan · ‎11-12-2010

Hi,

It has been increasing from the last output

Interface vlan2045
        Configured TCP Embryonic Connection Limit: 4096
        Current number of Embryonic Connections: 0
        Number of TCP Syns Intercepted by SYN COOKIE: 0
        Number of TCP Acks Successfully Processed by SYN COOKIE: 0
        Failed Number of TCP Acks Processed by SYN COOKIE: 93

this is still a test envioment, i have cleared the counter , will see if this do still increase, so far i understood, the syn cookie will only be inserted to the tcp handshake when certain amount to first sync received which above configured value, in this case :

interface vlan 2045
syn-cookie 4096

Thanks

Guan

Ivan Kovacevic · ‎11-12-2010

Yes, that is correct. When number of concurrent embryonic connections goes over 4096 the SYN COOKIE feature will handle the TCP handshakes.

guan · ‎12-13-2010

Hi Ivan,

Here is the result from our test, the server has kind of unclosed tcp session limit of 1024, anything above this the server will just die

So we have it set exactly to 1024 to intercept the tcp session when the number get above that, which works fine.

The only thing we have in Con is that the feature will disable all tcp options for following tcp sessions, which dont really introduce any noticeable delays...

Cheers

Guan

Ivan Kovacevic · ‎12-13-2010

ACE removes TCP options if the normalization is enabled on the interface (default setting).

You can allow TCP options with a parameter-map:

cdn-ace-1/ivan(config)# parameter-map type connection TEST

cdn-ace-1/ivan(config-parammap-conn)# tcp-options ?

range Configure TCP options range

selective-ack Configure Selective Ack TCP option

timestamp Configure Timestamp TCP option

window-scale Configure Window scale TCP option

guan · ‎12-14-2010

ahha,

ACE steckt volle Überraschungen

So this means the ACE will change all TCP initial negociation to WS = x which you set in the parameter map?

Which direction then, i have to findout.

Cheers

Guan