What Denial of Service attacks does the CSM handle (a) natively and (b) using features in the Catalyst? How does its SYN Flood protection work?
A. 1. The CSM utilizes a timeout for each connection: information for that connection is dropped and memory freed up if it has not completed the TCP setup within that timeout. It’s now fixed at 30 seconds but it will be configurable in the next software release, 2.2(1) in December/January. 2. When the CSM connection tables get close to its maximum capacity (1M simultaneous TCP conns), it aggressively discards older/inactive connections to make room for new/valid ones. 3. You have inherent DoS protection of the real servers, when doing L7 since you’re terminating TCP connections on the CSM and only “good” connections will reach the servers. 4. You can use “connection watermarks”, a feature of the CSM that allows you to set the max number of open simultaneous connections on a server by server basis. When the MAX is reached for a server, no more new connections are sent to that server unless the number of simultaneous open connections drop below a MIN that you can also configure per serve
Related Questions
- Usually, unchecked buffers allow denial of service attacks as well as privilege elevation attacks. Is that the case here?
- Will FusionVM perform buffer overflows/denial of service attacks against my network application?
- How does Xiplik software deal with SYN attacks or similar forms of denial of service attempts?