Protecting Against Denial-Of-Service Attacks - Cisco catalyst 6500 series Configuration Note

Protecting Against Denial-of-Service Attacks

Multiple default gateways are supported, however, they create a situation where if the CSM needs to
make a routing decision to an unknown destination, the CSM will randomly select one of the gateways
without your intervention or control. To control this behavior, use the predictor forward option described
in the next paragraph.
There are three situations in which the CSM must make a routing decision:
•
•
•
In case of multiple gateways, the first two situations can be simplified by using a server farm configured
with the gateway as a unique real server. See the example
Server-Originated Connections to the VIP" section on page
Protecting Against Denial-of-Service Attacks
The CSM implements a variety of features to protect the devices that it is load balancing and to protect
itself from a DoS attack. You cannot configure many of these features because they are controlled by the
CSM and adjust to the amount of incoming traffic.
The CSM provides these DoS-protection features:
•
Note
•
•
Catalyst 6500 Series Content Switching Module Configuration Note
2-8
Upon receiving a new connection.
At this time, the CSM needs to decide where to send the return traffic for that connection. Unlike
other devices, the CSM will not perform a route lookup, but memorizes the source MAC address
from where the first packet of the connection was received. Return traffic for that connection is sent
back to the source MAC address. This behavior also works with redundancy protocols between
upstream routers, such as HSRP.
The CSM is configured in router mode.
The servers are pointing to the CSM as their default gateway and the servers are originating
connections.
A server farm is configured with the predictor forward option (see
Servers and Server Farms"). This predictor instructs the CSM to route the connection instead of load
balancing it.
SYN cookies
Do not confuse a SYN cookie with synchronization of cookies because these are different features.
This discussion refers only to the SYN cookies feature.
When the number of pending connections exceeds a configurable threshold, the CSM begins using
the SYN cookies feature, encrypting all of the connection state information in the sequence numbers
that it generates. This action prevents the CSM from consuming any flow state for pending (not fully
established) TCP connections. This behavior is fully implemented in hardware and provides a good
protection against SYN attacks.
Connection pending timeout
This feature is configurable on a per-virtual server basis and allows you to time out connections that
have not been properly established within the configured timeout value specified in seconds.
Connection idle timeout
This feature is configurable on a per-virtual server basis, and allows you to time out established
connections that have not been passing traffic for longer than an interval configured on a timer.
Chapter 2 Networking with the Content Switching Module
Chapter 5, "Configuring Real
"Configuring Source NAT for
A-7.
OL-4612-01