Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
820
Views
0
Helpful
3
Replies

CSS11800 SYN flood protection

buineach
Level 1
Level 1

‎03-14-2002 09:22 AM

Hello,

We have been experiencing large synflood attacks `70 k SYN/SEC at one of our ISP clients wich is totally distributed.

I have been told there is a module for the CSS that can handle large syn attacks but I cannot find any information on this module.

Does anyone have any info or experience with this and what happens when you get a syn attack of 200 or 300K/sec which is what an OC3 can handle 300K*64*8 = 155Mb/sec.

The best solution I have seen so far can handle ~30K syn/sec but is not meant for ISP type connections.

Thanks in advance

Micheal

Labels:
0 Helpful
3 Replies 3

beth-martin
Level 5
Level 5

‎03-21-2002 11:44 AM

If you get a SYN flood that eats the entire bandwidth of the pipe then your problem is a bandwidth problem more than just too many potentially zombied TCP connections.

I’m sure the CSS cannot handle 200-300K SYNs per second and even if it did there would be no room in the pipe for any legitimate traffic.

The CSS does protect against SYN floods by terminating any TCP connection that does not include a frame with the ACK bit set after the SYN from the initiator of the connection. This occurs within 15 seconds of the initial SYN being received. In that 15 second time period a burst as large as what you are describing would eat all available flows and the sustained rate would not allow CSS to reclaim them fast enough.

I think I read somewhere there are on the order of 100K flows available per session processor. This gives us a maximum of 400K flows per fully loaded CSS 11800 with the currently shipping software and memory configuration. If you divide this number by 15 seconds you will get the maximum sustained rate CSS could protect against. Also, the 15-second timeout is not configurable.

Hope this helps!

0 Helpful

buineach
Level 1
Level 1
In response to beth-martin

‎04-02-2002 06:08 AM

Thanks

This helps a lot.

Micheal

0 Helpful

darren.page
Level 1
Level 1

‎03-26-2002 05:11 PM

The CSS had built in DOS prevention for a range of well known attacks. For SYN floods, it will ack the initial SYN but will drop any flows that do not reposnf to the SYN-ACK, after 16 seconds. If the CSS receives 8 consecutive SYNs that are not acked from the same source address, it will not set up any more flows from that source - i.e it will not even respond to the initial SYN request. This is for flow managment only though and will not prevent your bandwidth from being chewed up by the inbound SYNs

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card