F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP Systems: Protecting against SYN Flood Attacks
  5. VLAN-based Hardware SYN Cookie Protection
Manual Chapter : VLAN-based Hardware SYN Cookie Protection

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview of VLAN-based hardware SYN cookie protection

What is VLAN-based hardware SYN cookie protection?

On certain F5® FPGA platforms, you can enable hardware SYN cookie protection per VLAN instead of per virtual server.

Configuring SYN cookie protection per VLAN avoids potential collisions within the FPGA programmable hardware. Such collisions can result in the BIG-IP® software handling all SYN cookie protection, causing performance degradation as CPU usage increases beyond normal levels.

Without collisions, hardware and software continue to work collaboratively to mitigate the attack, which ultimately prevents performance degradation on the system.

Configuration overview

If the BIG-IP hardware supports VLAN-based SYN cookie protection, you first configure the feature on one or more individual VLANs. Then you enable a global setting within BIG-IP Local Traffic Manager (LTM), Hardware VLAN SYN Cookie Protection. This global setting enables the feature on all VLANs on which you configured the feature.

In general, the global setting allows you to quickly and easily enable and disable the feature on all relevant VLANs, rather than you having to re-configure every VLAN when you want to enable or disable the feature for those VLANs.

When you disable the global Hardware VLAN SYN Cookie Protection setting, the system switches back to enabling SYN Check activation (with SYN cookie protection) on a per-virtual server basis.

Important: On platforms on which the BIG-IP software works collaboratively with FPGA hardware to protect against SYN floods, enabling per-virtual SYN Check™ activation instead of VLAN-based hardware SYN cookie protection could result in performance degradation if FPGA collisions occur.

About configuring hardware VLAN SYN cookie protection

To configure VLAN-based hardware SYN cookie protection, you must configure some settings on each VLAN that you want the BIG-IP® system to protect, and then globally enable the feature within BIG-IP® Local Traffic Manager™ (LTM).

Modifying a VLAN to configure global hardware SYN cookie protection

VLANs represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You can modify a VLAN to configure hardware SYN cookie protection for that VLAN. You configure hardware SYN cookie protection on a VLAN when you want to protect the VLAN from SYN flood attacks.

  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. In the Name column, click the relevant VLAN name.
    The New VLAN screen opens.
  3. From the Configuration list, select Advanced.
  4. For the Hardware SYN Cookie setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  5. For the Syncache Threshold setting, retain the default value or change it to suit your needs.
    The Syncache Threshold value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.

    When the Hardware SYN Cookie setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:

    • The number of TCP half-open connections defined in the LTM® setting Global SYN Check Threshold is reached.
    • The number of SYN flood packets defined in this Syncache Threshold setting is reached.
  6. For the SYN Flood Rate Limit setting, retain the default value or change it to suit your needs.
    The SYN Flood Rate Limit value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  7. Click Update.
Hardware SYN cookie protection is now enabled on this VLAN whenever the global Hardware VLAN SYN Cookie Protection setting is enabled within BIG-IP® Local Traffic Manager™ (LTM).

Enabling global hardware VLAN SYN cookie protection settings

Before starting this task, make sure you have configured SYN cookie protection on at least one BIG-IP® VLAN.
You can use the Configuration utility to globally enable the hardware VLAN-based SYN cookie feature on all VLANs configured for SYN cookie protection.
  1. On the Main tab, click System > Configuration > Local Traffic > General
    This shows the settings that you can set globally for BIG-IP® Local Traffic Manager ™(LTM).
  2. In the Properties area of the screen, for the Hardware VLAN SYN Cookie Protection setting, make sure that the check box is selected.
  3. Click Update.

About configuring hardware SYN cookies using tmsh

To configure VLAN-based hardware SYN cookie protection, you use the TMOS Shell (tmsh) to configure some settings on each VLAN that you want the BIG-IP® system to protect. You then globally enable the feature within BIG-IP Local Traffic Manager™ (LTM).

Modifying a VLAN to configure global hardware SYN cookie protection using tmsh

You can use the TMOS Shell (tmsh) to configure the global hardware VLAN SYN cookie settings on a VLAN.

  1. Open the TMOS Shell (tmsh).
    tmsh
  2. Change to the network module.
    net
    The system prompt updates with the module name: user@bigip01(Active)(/Common)(tmos.net)# user@bigiq01(Active)(/Common)(tmos.net)#
  3. View all existing properties for a specified VLAN.
    list vlan <name> all-properties
  4. Enable or disable hardware SYN cookie protection on a specified VLAN.
    modify vlan <name> [disabled | enabled]
  5. Configure the number of outstanding SYN packets on the VLAN required to trigger hardware VLAN SYN cookie protection.
    modify vlan <name> syncache-threshold <number>
    The default value is 6000 packets.
  6. Configure a maximum number of SYN flood packets per second to be received on the VLAN before hardware SYN cookie protection is triggered.
    modify vlan <name> syn-flood-rate-limit <number>
    The default value is 1000 packets per second.

Enabling global hardware VLAN SYN cookie protection using tmsh

Before starting this task, make sure you have configured SYN cookie protection on at least one BIG-IP® VLAN.

You can use the TMOS Shell (tmsh) to globally enable or disable the hardware VLAN-based SYN cookie feature on your system.

  1. Open the TMOS Shell (tmsh).
    tmsh
  2. Configure whether to enable global hardware SYN cookies on VLANs.
    modify connection vlan-syn-cookie [disabled | enabled]

Platform support for hardware SYN cookies

This table lists the platforms that support hardware SYN cookie protection.

Platform name Platform ID
BIG-IP® 5000 Series C109
BIG-IP 7000 Series D110
BIG-IP 10000 Series D113
BIG-IP 12000 Series D111
BIG-IP i5000 Series C119
BIG-IP i7000 Series C118
BIG-IP i10000 Series C116
VIPRION® B2100 Blade A109
VIPRION B2150 Blade A113
VIPRION B2250 Blade A112
VIPRION B4300 Blade A108
VIPRION B4340N Blade A110
VIPRION B4450 Blade A114
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information