F1000 protect virtual machine suffers from SYN flood attack
- 0 Followed
- 0Collected ,2246Browsed
Network Topology
VM ----core ------router----internet
Problem Description
Customer found VM send huge traffic to
internet over the bandwidth to ISP, then leads to congestion.
Process Analysis
Upon our inspection, the UIS virtualization platform used by the client is not faulty, but there is abnormal traffic on the VM.
So we capture packet on the relevant port to check the traffic detail.
We found there is too much SYN flood traffic.
Due to the fact that the IP address of the attacker is different each time, it is not possible to protect based on the source IP. We have decided to use the SYN flood suppression function of the F1000 firewall.
#
syn-flood detect non-specific
syn-flood action logging drop
syn-flood threshold 5000
syn-flood source-threshold 5000
#
The value 5000 can be adjusted to 500 or less, if it still has too much traffic about SYN.
Solution
Configure SYN flood suppression. We finally set the threshold at 500,and the issue was solved.
#
syn-flood detect non-specific
syn-flood action logging drop
syn-flood threshold 500
syn-flood source-threshold 500
#