ServerIron ADX Security Guide 133
53-1002440-03
DDoS protection 5
Binding the filter to an interface
To implement a filter, it must be bound to an interface. It will then be applied globally to all
interfaces on the ServerIron ADX. To bind a filter to an interface, use the following command:
ServerIronADX(config-if-e1000-1/2)# security apply-filter filter1
Syntax: security apply-filter <filter-name>
The <filter-name> variable specifies filter that you want to apply on the ServerIron ADX. A maximum
or 10 filters can be bound to a single interface.
Clearing DOS attack statistics
Use clear statistics dos-attack to reset counters for ICMP and TCP SYN packet burst thresholds.
Syntax: clear statistics dos-attack
Clearing all DDOS Filter & Attack Counters
Use security clear all-dos-filter-counters to reset all DDOS Filter and Attack Counters.
Syntax: security clear all-dos-filter-counters
Logging for DoS attacks
Use the show log command to display the logging information and notice the attack type hits:
For each log event taking place for software rules, the ServerIron ADX sends a syslog message and
an SNMP trap. The system logs every 1 second time period, but only the difference is logged (not
cumulative totals). For example, assume 5 packets are dropped within 1 second. The system logs
5. Then, 2 packets are dropped during the next second. The system logs 2 (not 7).
Use show security hold:
Use show security net-scan-sessions:
BP # show sec net-scan-sessions <number to be skipped>
IP address Attack Type Number Scanned
10.10.1.101->10.10.1.151 port-scan 1
The number scanned indicate the number of ports client 10.10.1.101 has accessed on IP
10.10.1.151 (which is the VIP in the example).
Similarly for address-sweep:
BP #show sec net-scan-sessions 0
IP address Attack Type Number Scanned
10.10.1.101 address-sweep 2
The above example tells you that client 10.10.1.101 has accessed 2 destination IPs in the past 1
monitoring interval.