Options
The question about the DDoS Protection
Posted by fitwate
How to use the parameters(Out-of-sequence packet), Please explain the "Out-of-sequence packet",Thanks.
If we open the DDoS Protection in the Global ,How to view the results after the opening DDoS Protection ?
For example, if the AX2200 to prevent some of the ddos attack, how we view those elements specifically blocked. After opening ddos, what content is blocked
In china,which Ddos protection function is always open?
Thank you very much!
How to use the parameters(Out-of-sequence packet), Please explain the "Out-of-sequence packet",Thanks.
If we open the DDoS Protection in the Global ,How to view the results after the opening DDoS Protection ?
For example, if the AX2200 to prevent some of the ddos attack, how we view those elements specifically blocked. After opening ddos, what content is blocked
In china,which Ddos protection function is always open?
Thank you very much!
0
Comments
Hi Dimitri,
From my point, that parameter is 10 as default value on AX. So I think that means our AX as HTTP proxy we can buffer the max out of sequence packages in one tcp connection. I mean the AX received those packages from client as following.
the bad guy send those packages which is number from 1,3,5,7,9,... until to 25.
AX received all of those packages, then AX keep buffer those pakcages and waiting for the packages of 2,4,6,8, until to 20. Total threshold is 10. if AX find it need retry and waiting for the packages over 10 numbers under one connection. Then AX can drop those buffer packages.
Is it right?
Another point is that parameter means it is total out of sequence packets under one client's IP. No matter how many connections. The AX just retry and waiting for 10 out of sequence packets for One client's IP.
I talked to Eng and my first answer was incorrect and I just removed it (so new users won't be able to see it).
Here is how DDoS Out-of-Sequence works (answer from Simon is actually not correct either):
When DDoS is enabled, DDoS runs first and if the packet is accepted, it is forwarded to the AX TCP stack.
The DDoS Out-of-Sequence option is valid only when the AX proxies the connections (such as on VIP type HTTP, HTTPS, SSL-Proxy, etc but not type TCP).
Step1: AX receives a "SYN" from a client. DDoS Out-of-Sequence checks the sequence number (let's say 100) and sends that packet to the AX TCP stack.
Step2: AX TCP stack sends a "SYN/ACK" to the client.
Step3: Client should send a "ACK" with the sequence number +1 (101 in my example). If that sequence number is not the one expected, the DDoS protection increments the Out-of-Sequence counter for that client IP@ and sends it to the AX TCP stack.
Step4: The AX TCP Stack will resend the "SYN/ACK" to the client and wait for the proper "ACK" from the client. This one should of course never come from a bad guy. So the AX TCP stack will ask again for retransmission but then will time out and remove that session from its TCP Stack.
If the client tries to do this bad behavior in many sessions in parallel, when the DDoS Out-of-Sequence reaches 10 (by default) for that client IP@ any "SYN" packet from that client will be dropped and not forwarded to the AX TCP stack. And this forever up to for 5 minutes with no traffic from that client IP@ (default).
DDoS Out-of-Sequence protection statistics:
CLI: "show slb l4".
DDoS out-of-Sequence configuration:
1: Create a Black-White list "PBSLB1" that will track all clients IP@: "0.0.0.0/0 1"
WebUI: "Config >> Service >> PBSLB" …
CLI: AX(config)# import bw-list PBSLB1 …
Note: You could limit the track on specific subnets only.
2: Bind the AX PBSLB security policies to the bw-list
CLI-only: AX(config)# system pbslb bw-list <list_name>
3 (optional): Change how many Out-of-Sequence packets are accepted (default = 10)
WebUI: "Config >> Service >> Global >> DDoS Protection"
CLI: AX(config)# ip anomaly-drop out-of-sequence <#>
4 (optional): Change after how minutes of inactivity you lock a bad client (default = 5 minutes)
CLI-only: AX(config)# system pbslb timeout <# minutes>
5 (optional): Log on AX IP@ when PBSLB security triggers (defaut disabled)
CLI-only: AX(config)# system pbslb over-limit logging <# minutes>
Note: 1 log entry each N minutes with the # of clients that did cross the policy
6 (optional): Even if the client still does send traffic, AX doesn't drop the packets after the lockout period (default: disable)
CLI-only: AX(config)# system pbslb over-limit lockup <# minutes>
Note: By default a bad client that still initiates traffic but doesn't do any more attacks will be always dropped by the DDoS Out-of-Sequence. Indeed by default DDoS will start accept traffic from that client only after 5 minutes of inactivity (system pbslb timeout).