Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CSS11800 SYN flood protection

Hello,

We have been experiencing large synflood attacks `70 k SYN/SEC at one of our ISP clients wich is totally distributed.

I have been told there is a module for the CSS that can handle large syn attacks but I cannot find any information on this module.

Does anyone have any info or experience with this and what happens when you get a syn attack of 200 or 300K/sec which is what an OC3 can handle 300K*64*8 = 155Mb/sec.

The best solution I have seen so far can handle ~30K syn/sec but is not meant for ISP type connections.

Thanks in advance

Micheal

3 REPLIES
Bronze

Re: CSS11800 SYN flood protection

If you get a SYN flood that eats the entire bandwidth of the pipe then your problem is a bandwidth problem more than just too many potentially zombied TCP connections.

I’m sure the CSS cannot handle 200-300K SYNs per second and even if it did there would be no room in the pipe for any legitimate traffic.

The CSS does protect against SYN floods by terminating any TCP connection that does not include a frame with the ACK bit set after the SYN from the initiator of the connection. This occurs within 15 seconds of the initial SYN being received. In that 15 second time period a burst as large as what you are describing would eat all available flows and the sustained rate would not allow CSS to reclaim them fast enough.

I think I read somewhere there are on the order of 100K flows available per session processor. This gives us a maximum of 400K flows per fully loaded CSS 11800 with the currently shipping software and memory configuration. If you divide this number by 15 seconds you will get the maximum sustained rate CSS could protect against. Also, the 15-second timeout is not configurable.

Hope this helps!

New Member

Re: CSS11800 SYN flood protection

Thanks

This helps a lot.

Micheal

New Member

Re: CSS11800 SYN flood protection

The CSS had built in DOS prevention for a range of well known attacks. For SYN floods, it will ack the initial SYN but will drop any flows that do not reposnf to the SYN-ACK, after 16 seconds. If the CSS receives 8 consecutive SYNs that are not acked from the same source address, it will not set up any more flows from that source - i.e it will not even respond to the initial SYN request. This is for flow managment only though and will not prevent your bandwidth from being chewed up by the inbound SYNs

192
Views
0
Helpful
3
Replies