Application Delivery (ADX)

Reply
Contributor
Posts: 24
Registered: ‎05-04-2009

How do I block traffic to services which do not exist most efficient?

We had tons of port scans here a few days ago and it looks like port scans using virtual servers as destination do hit the ServerIron CPUs pretty hard. Is there any way to get rid of this problem? I would like to drop traffic to services which do not exist with the lowest impact to the CPU possible.

Super Contributor
Posts: 316
Registered: ‎05-01-2009

Re: How do I block traffic to services which do not exist most efficient?

My suggestion would be to enable "vip-protection":

server virtual vip a.b.c.d

  vip-protection

Out of the documentation:

VIP protection adds CAM entries for each defined virtual port associated with each VIP. An additional CAM entry
is defined for ICMP traffic destined to each VIP. An entry to drop the traffic is also added in the CAM for each VIP,
which makes sure that traffic destined to any destination port other than the virtual ports is dropped by hardware.

This is protection in hardware - it is dropping all traffic to non-configured service in hardware. The CPUs are not involved at this time. Is this what you are looking for?

It is as well possible to use this setting globally via:

server vip-protection

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook