Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
ServerIron ADX Security Guide 181
53-1002440-03
Configuration Examples for SSL Termination and Proxy Modes
6
Resolution
There two possible approaches to this problem.
• Turn OFF delayed ACK on the server. To see how to modify or turn off delayed ACK on Windows
2003 servers, go to the following location:
http://support.microsoft.com/default.aspx?scid=kb;en-us;823764
NOTE
This method might not be the most satisfactory, as it involves changing the registry on the
servers.
• Turn OFF Nagle Algorithm on the ServerIron. Bind the TCP-profile to the port under virtual
server.
The TCP Nagle Algorithm
The Nagle Algorithm was developed to address the TCP small packet problem. This problem is
typically experienced when an application generates several small bytes of data at a time. As an
example, one byte of user data could mean 41 bytes of packet, with 40 bytes of overhead. This
situation is often referred to as the “send-side silly window” syndrome.
The Nagle Algorithm instructs the sender to buffer the data if any unacknowledged data is
outstanding. Any data to be sent subsequently is held until the outstanding data is acknowledged
or until there is a full packet's worth of data to send. Small amounts of data are collected by TCP
and sent in a single segment.
Sometimes the Nagle Algorithm needs to be turned OFF. For example, in X-Window system, the
small size messages (such as mouse movements) need to be delivered without any delay to
provide real-time feedback for an interactive user.
Delayed TCP ACK
A host that is receiving a stream of TCP data segments can increase efficiency by sending fewer
ACKs (acknowledgements) per data segment received using a TCP delayed ACK mechanism. A TCP
should implement delayed ACKs, but no ACK should be excessively delayed.Specifically, the delay
MUST be less than 0.5 seconds, and in a stream of full-sized segments there should be an ACK for
at least every second segment.
The following example configures a TCP profile that turns off the delayed ACK, the Nagle Algorithm,
and disables all outgoing data packets except the last one from a tcp-transmit queue. The TCP
profile is then applied to Virtual Servers
Creating a TCP Profile
You can disable the following TCP features within a TCP profile: Nagle’s algorithm, the delayed ACK
algorithm, and all outgoing data packets except the last one from a tcp-transmit queue. The
following example creates a TCP profile named "nagleoff" within the General Configuration mode.
ServerIronADX(config)# tcp profile nagleoff
ServerIronADX(config-tcp-profile-nagleoff)# nagle off
ServerIronADX(config-tcp-profile-nagleoff)# delayed-ack off
ServerIronADX(config-tcp-profile-nagleoff)# push-bit off