This object controls operation of TCP SYN flood protection.
It is only relevant when the class is configured using established
application classification (see xtmClassApplications).
When set to 'disabled(1)' no TCP SYN flood protection is provided.
When set to 'monitor(2)' the class will reset half open TCP
connections as shown below.
External Net CBQ Internal Host A
============ === ===============
SYN SYN
_____________________________> ___________________________>
Firewall intercepts the SYN to host A, records the
event, and passes the segment.
SYN + ACK SYN + ACK
<____________________________ <___________________________
Firewall intercepts the SYN + ACK to the Internet host
and correlates it to the first SYN segment, noting that
the connection is now 'half open', and passes the segment.
Firewall starts a timer.
Normal Case
___________
ACK ACK
____________________________> ____________________________>
Firewall intercepts the ACK to Host A, and passes the
packet. A ignores the redundant ACK and the connection
is complete. Firewall stops its timer.
SYN Flood Case
______________
RST
____________________________>
Firewall's timer expires before the Internet host's ACK
is received. Firewall resets the connection and deletes
its state information.
When set of 'intervene(3), the class will ACKnowledge half open
TCP connections as shown below.
External Net CBQ Internal Host A
============ === ===============
SYN SYN
_____________________________> ___________________________>
Firewall intercepts the SYN to host A, records the
event, and passes the segment.
SYN + ACK SYN + ACK
<____________________________ <___________________________
Firewall intercepts the SYN + ACK to the Internet host
and correlates it to the first SYN segment, noting that
the connection is now 'half_open', and passes the segment.
ACK
____________________________>
Firewall send an ACK to host A, which moves the connection
out of A's backlog queue. Firewall starts a timer.
Normal Case
___________
ACK ACK
____________________________> ____________________________>
Firewall intercepts the ACK to Host A, and passes the
packet. A ignores the redundant ACK and the connection
is complete. Firewall stops its timer.
SYN Flood Case
______________
RST
____________________________>
Firewall's timer expires before the Internet host's ACK
is received. Firewall resets the connection and deletes
its state information.
Parsed from file xtm.mi2.txt
Company: None
Module: XEDIA-TRAFFIC-MGMT-MIB
This object controls operation of TCP SYN flood protection.
It is only relevant when the class is configured using established
application classification (see xtmClassApplications).
When set to 'disabled(1)' no TCP SYN flood protection is provided.
When set to 'monitor(2)' the class will reset half open TCP
connections as shown below.
External Net CBQ Internal Host A
============ === ===============
SYN SYN
_____________________________> ___________________________>
Firewall intercepts the SYN to host A, records the
event, and passes the segment.
SYN + ACK SYN + ACK
<____________________________ <___________________________
Firewall intercepts the SYN + ACK to the Internet host
and correlates it to the first SYN segment, noting that
the connection is now 'half open', and passes the segment.
Firewall starts a timer.
Normal Case
___________
ACK ACK
____________________________> ____________________________>
Firewall intercepts the ACK to Host A, and passes the
packet. A ignores the redundant ACK and the connection
is complete. Firewall stops its timer.
SYN Flood Case
______________
RST
____________________________>
Firewall's timer expires before the Internet host's ACK
is received. Firewall resets the connection and deletes
its state information.
When set of 'intervene(3), the class will ACKnowledge half open
TCP connections as shown below.
External Net CBQ Internal Host A
============ === ===============
SYN SYN
_____________________________> ___________________________>
Firewall intercepts the SYN to host A, records the
event, and passes the segment.
SYN + ACK SYN + ACK
<____________________________ <___________________________
Firewall intercepts the SYN + ACK to the Internet host
and correlates it to the first SYN segment, noting that
the connection is now 'half_open', and passes the segment.
ACK
____________________________>
Firewall send an ACK to host A, which moves the connection
out of A's backlog queue. Firewall starts a timer.
Normal Case
___________
ACK ACK
____________________________> ____________________________>
Firewall intercepts the ACK to Host A, and passes the
packet. A ignores the redundant ACK and the connection
is complete. Firewall stops its timer.
SYN Flood Case
______________
RST
____________________________>
Firewall's timer expires before the Internet host's ACK
is received. Firewall resets the connection and deletes
its state information.
Parsed from file XEDIA-TRAFFIC-MGMT-MIB.mib
Module: XEDIA-TRAFFIC-MGMT-MIB
Vendor: Xedia Corporation
Module: XEDIA-TRAFFIC-MGMT-MIB
[Automatically extracted from oidview.com]
xtmClassSynProtectMode OBJECT-TYPE SYNTAX INTEGER { disabled(1), monitor(2), intervene(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object controls operation of TCP SYN flood protection. It is only relevant when the class is configured using established application classification (see xtmClassApplications). When set to 'disabled(1)' no TCP SYN flood protection is provided. When set to 'monitor(2)' the class will reset half open TCP connections as shown below. External Net CBQ Internal Host A ============ === =============== SYN SYN _____________________________> ___________________________> Firewall intercepts the SYN to host A, records the event, and passes the segment. SYN + ACK SYN + ACK <____________________________ <___________________________ Firewall intercepts the SYN + ACK to the Internet host and correlates it to the first SYN segment, noting that the connection is now 'half open', and passes the segment. Firewall starts a timer. Normal Case ___________ ACK ACK ____________________________> ____________________________> Firewall intercepts the ACK to Host A, and passes the packet. A ignores the redundant ACK and the connection is complete. Firewall stops its timer. SYN Flood Case ______________ RST ____________________________> Firewall's timer expires before the Internet host's ACK is received. Firewall resets the connection and deletes its state information. When set of 'intervene(3), the class will ACKnowledge half open TCP connections as shown below. External Net CBQ Internal Host A ============ === =============== SYN SYN _____________________________> ___________________________> Firewall intercepts the SYN to host A, records the event, and passes the segment. SYN + ACK SYN + ACK <____________________________ <___________________________ Firewall intercepts the SYN + ACK to the Internet host and correlates it to the first SYN segment, noting that the connection is now 'half_open', and passes the segment. ACK ____________________________> Firewall send an ACK to host A, which moves the connection out of A's backlog queue. Firewall starts a timer. Normal Case ___________ ACK ACK ____________________________> ____________________________> Firewall intercepts the ACK to Host A, and passes the packet. A ignores the redundant ACK and the connection is complete. Firewall stops its timer. SYN Flood Case ______________ RST ____________________________> Firewall's timer expires before the Internet host's ACK is received. Firewall resets the connection and deletes its state information. " DEFVAL { disabled } ::= { xtmClassEntry 63 }
xtmClassSynProtectMode OBJECT-TYPE SYNTAX INTEGER { disabled(1), monitor(2), intervene(3) } MAX-ACCESS read-create STATUS current DESCRIPTION "This object controls operation of TCP SYN flood protection. It is only relevant when the class is configured using established application classification (see xtmClassApplications). When set to 'disabled(1)' no TCP SYN flood protection is provided. When set to 'monitor(2)' the class will reset half open TCP connections as shown below. External Net CBQ Internal Host A ============ === =============== SYN SYN _____________________________> ___________________________> Firewall intercepts the SYN to host A, records the event, and passes the segment. SYN + ACK SYN + ACK <____________________________ <___________________________ Firewall intercepts the SYN + ACK to the Internet host and correlates it to the first SYN segment, noting that the connection is now 'half open', and passes the segment. Firewall starts a timer. Normal Case ___________ ACK ACK ____________________________> ____________________________> Firewall intercepts the ACK to Host A, and passes the packet. A ignores the redundant ACK and the connection is complete. Firewall stops its timer. SYN Flood Case ______________ RST ____________________________> Firewall's timer expires before the Internet host's ACK is received. Firewall resets the connection and deletes its state information. When set of 'intervene(3), the class will ACKnowledge half open TCP connections as shown below. External Net CBQ Internal Host A ============ === =============== SYN SYN _____________________________> ___________________________> Firewall intercepts the SYN to host A, records the event, and passes the segment. SYN + ACK SYN + ACK <____________________________ <___________________________ Firewall intercepts the SYN + ACK to the Internet host and correlates it to the first SYN segment, noting that the connection is now 'half_open', and passes the segment. ACK ____________________________> Firewall send an ACK to host A, which moves the connection out of A's backlog queue. Firewall starts a timer. Normal Case ___________ ACK ACK ____________________________> ____________________________> Firewall intercepts the ACK to Host A, and passes the packet. A ignores the redundant ACK and the connection is complete. Firewall stops its timer. SYN Flood Case ______________ RST ____________________________> Firewall's timer expires before the Internet host's ACK is received. Firewall resets the connection and deletes its state information. " DEFVAL { disabled } ::= { xtmClassEntry 63 }
| OID | Name | Sub children | Sub Nodes Total | Description |
|---|---|---|---|---|
| 1.3.6.1.4.1.838.3.2.1.2.1.1 | xtmClassName | 0 | 0 | A user-defined name for the traffic class. This is the unique identifier for the class within the scope of the interface. For exa… |
| 1.3.6.1.4.1.838.3.2.1.2.1.2 | xtmClassParent | 0 | 0 | Prior to version 2.0, this object has one of the following values: - the value of xtmClassName for the parent class in the hierar… |
| 1.3.6.1.4.1.838.3.2.1.2.1.3 | xtmClassSrcIpAddrStart | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.4 | xtmClassSrcIpAddrEnd | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.5 | xtmClassDestIpAddrStart | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.6 | xtmClassDestIpAddrEnd | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.7 | xtmClassProtocolStart | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.8 | xtmClassProtocolEnd | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.9 | xtmClassSrcPortStart | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.10 | xtmClassSrcPortEnd | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.11 | xtmClassDestPortStart | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.12 | xtmClassDestPortEnd | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.13 | xtmClassRate | 0 | 0 | A fraction of the bandwidth of the root interface to be allocated to this traffic class. Note that specifying 0 bits/second effec… |
| 1.3.6.1.4.1.838.3.2.1.2.1.14 | xtmClassBounded | 0 | 0 | The value of this object is 'true(1)' if the class is bounded (can't 'borrow' bandwidth from its parent class) and 'false(2)' oth… |
| 1.3.6.1.4.1.838.3.2.1.2.1.15 | xtmClassPriority | 0 | 0 | The priority for this class. The smaller the value, the higher the priority. Delay-sensitive flows (such as video or audio) shoul… |
| 1.3.6.1.4.1.838.3.2.1.2.1.16 | xtmClassMaxIdle | 0 | 0 | An upper bound for the average idle time (see the DESCRIPTION of xtmClassStatsIdle). Thus, xtmClassMaxIdle limits the 'credit' gi… |
| 1.3.6.1.4.1.838.3.2.1.2.1.17 | xtmClassOffTime | 0 | 0 | xtmClassOfftime |
| 1.3.6.1.4.1.838.3.2.1.2.1.18 | xtmClassMinIdle | 0 | 0 | The negative lower bound of the average idle. Thus, a negative minidle lets the router 'remember' that a class has recently used … |
| 1.3.6.1.4.1.838.3.2.1.2.1.19 | xtmClassQueueElasticityFactor | 0 | 0 | A factor used to influence whether this traffic class gets a proportionally larger or smaller queue size than other classes. Othe… |
| 1.3.6.1.4.1.838.3.2.1.2.1.20 | xtmClassUnsatisfiedNotifEnable | 0 | 0 | Indicates whether xtmUnsatisfied traps should be generated for this class. By default, this object should have the value 'false(2… |
| 1.3.6.1.4.1.838.3.2.1.2.1.21 | xtmClassHistoryAdmin | 0 | 0 | The CBQ Class object indicating whether the history collection is 'enabled' or 'disabled' for the class. CBQ History collection… |
| 1.3.6.1.4.1.838.3.2.1.2.1.22 | xtmClassOperStatus | 0 | 0 | The actual operational status of the traffic class. The value 'up(1)' means this traffic class is in use, the value 'down(2)' ind… |
| 1.3.6.1.4.1.838.3.2.1.2.1.23 | xtmClassOperMsg | 0 | 0 | The operational message associated with the operational status. The message usually provides additional information that may not… |
| 1.3.6.1.4.1.838.3.2.1.2.1.24 | xtmClassBwUse | 0 | 0 | An indication of whether this traffic class has used its allocated bandwidth (as indicated by xtmClassPercent), has not used its … |
| 1.3.6.1.4.1.838.3.2.1.2.1.25 | xtmClassUnsatisfied | 0 | 0 | An indication of whether this traffic class is 'unsatisfied'. The value of this object is 'true(1)' if it is underLimit and has a… |
| 1.3.6.1.4.1.838.3.2.1.2.1.26 | xtmClassQueueSize | 0 | 0 | The size of the queue associated with this traffic class. This is the maximum number of packets that can be in the queue, not the… |
| 1.3.6.1.4.1.838.3.2.1.2.1.27 | xtmClassRowStatus | 0 | 0 | Traffic classes are created and delected using this object (using the conventions described in RFC1903). |
| 1.3.6.1.4.1.838.3.2.1.2.1.28 | xtmClassMaxRate | 0 | 0 | The maximum bandwidth the class may achieve, including bandwidth allocated to this class, and any bandwidth that may be borrowed.… |
| 1.3.6.1.4.1.838.3.2.1.2.1.29 | xtmClassAutoClass | 0 | 0 | The CBQ Class object indicating whether the automatic child class creation capability is 'enabled' or 'disabled' for the class. E… |
| 1.3.6.1.4.1.838.3.2.1.2.1.30 | xtmClassSaveAutoClassChildren | 0 | 0 | The CBQ Class object which controls the save operation of AutoClass children of this class to Non-Volatile configuration memory. … |
| 1.3.6.1.4.1.838.3.2.1.2.1.31 | xtmClassAutoClassChildBwAlloc | 0 | 0 | The CBQ Class object which controls the allocation of bandwidth to immediate children of AutoClasses. Each dynamically created c… |
| 1.3.6.1.4.1.838.3.2.1.2.1.32 | xtmClassAutoClassChildBounded | 0 | 0 | The CBQ Class object controlling whether the immediate children of an AutoClass should be bounded. Setting this object to true c… |
| 1.3.6.1.4.1.838.3.2.1.2.1.33 | xtmClassAutoClassDepth | 0 | 0 | The CBQ Class object controlling the depth of growth of the sub tree below the AutoClass Parent. For example, setting this objec… |
| 1.3.6.1.4.1.838.3.2.1.2.1.34 | xtmClassAutoClassResolveAddrs | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.35 | xtmClassSrcDomainName | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.36 | xtmClassDestDomainName | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.37 | xtmClassTosValue | 0 | 0 | The CBQ Class object indicating the value that should be written into the IP Header Tos octet for packets that are transmitted fr… |
| 1.3.6.1.4.1.838.3.2.1.2.1.38 | xtmClassTosMask | 0 | 0 | This CBQ Class object is used in conjunction with the xtmClassTosValue object to set the IP Header Tos octet for packets that are… |
| 1.3.6.1.4.1.838.3.2.1.2.1.39 | xtmClassBorrowTosValue | 0 | 0 | The CBQ Class object indicating the value that should be written into the IP Header Tos octet for packets that are transmitted fr… |
| 1.3.6.1.4.1.838.3.2.1.2.1.40 | xtmClassBorrowTosMask | 0 | 0 | This CBQ Class object is used in conjunction with the xtmClassTosValue object to set the IP Header Tos octet for packets that are… |
| 1.3.6.1.4.1.838.3.2.1.2.1.41 | xtmClassClassificationTosStart | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.42 | xtmClassClassificationTosEnd | 0 | 0 | *********************************************************** ** O b s o l e t e ** *********… |
| 1.3.6.1.4.1.838.3.2.1.2.1.43 | xtmClassClassificationTosMask | 0 | 0 | This CBQ Class object is used in conjunction with the xtmClassClassificationTos object to classify packets based on the IP Header… |
| 1.3.6.1.4.1.838.3.2.1.2.1.44 | xtmClassPeerClassificationOrder | 0 | 0 | A positive integer representing the classification order of peers within the classification hierarchy. For example, when creatin… |
| 1.3.6.1.4.1.838.3.2.1.2.1.45 | xtmClassSrcIpAddresses | 0 | 0 | The range of IP source addresses that match this class. An all zeros value means 'any source address'. |
| 1.3.6.1.4.1.838.3.2.1.2.1.46 | xtmClassDestIpAddresses | 0 | 0 | The range of IP destination addresses that match this class. An all zeros value means 'any destination address'. |
| 1.3.6.1.4.1.838.3.2.1.2.1.47 | xtmClassProtocols | 0 | 0 | The range of IP protocols that match this class. The value '0' 'any protocol'. Numeric strings, character strings, and combinatio… |
| 1.3.6.1.4.1.838.3.2.1.2.1.48 | xtmClassSrcPorts | 0 | 0 | The range of UDP or TCP source ports that match this class. The value '0' 'any port'. Numeric strings, character strings, and com… |
| 1.3.6.1.4.1.838.3.2.1.2.1.49 | xtmClassDestPorts | 0 | 0 | The range of UDP or TCP destination ports that match this class. The value '0' 'any port'. Numeric strings, character strings, an… |
| 1.3.6.1.4.1.838.3.2.1.2.1.50 | xtmClassApplications | 0 | 0 | The application level protocol of the class. Application classification allows you to classify based on the application level pro… |
| 1.3.6.1.4.1.838.3.2.1.2.1.51 | xtmClassClassificationTos | 0 | 0 | The range of IPv4 Tos Octet values that match this class. |
| 1.3.6.1.4.1.838.3.2.1.2.1.52 | xtmClassSrcDomainNames | 0 | 0 | A list of domain names which are to be dynamically included in the range of source IP addresses. |
| 1.3.6.1.4.1.838.3.2.1.2.1.53 | xtmClassDestDomainNames | 0 | 0 | A list of domain names which are to be dynamically included in the range of destination IP addresses. |
| 1.3.6.1.4.1.838.3.2.1.2.1.54 | xtmClassOperator | 0 | 0 | An operator applied to all classification parameters of this class. A value of 'and' indicates that packets must match all class… |
| 1.3.6.1.4.1.838.3.2.1.2.1.55 | xtmClassDlTrafficIndex | 0 | 0 | The traffic index to be passed down to the datalink. |
| 1.3.6.1.4.1.838.3.2.1.2.1.56 | xtmClassDlTrafficFlags | 0 | 0 | Traffic handling flags to be passed down to the datalink. |
| 1.3.6.1.4.1.838.3.2.1.2.1.57 | xtmClassIcmpFilter | 0 | 0 | None |
| 1.3.6.1.4.1.838.3.2.1.2.1.58 | xtmClassConnectionAccounting | 0 | 0 | This object enabled and disables connection accounting. When set to 'enabled(1)', connection accounting information is logged whe… |
| 1.3.6.1.4.1.838.3.2.1.2.1.59 | xtmClassGenEventWhenDroppingPkt | 0 | 0 | The CBQ Class object controlling whether the class will generate an event message when filtering a packet. Note that a filter cla… |
| 1.3.6.1.4.1.838.3.2.1.2.1.60 | xtmClassAutoClassChildMaxBwAlloc | 0 | 0 | The CBQ Class object which controls the allocation of bandwidth to immediate children of AutoClasses. Each dynamically created c… |
| 1.3.6.1.4.1.838.3.2.1.2.1.61 | xtmClassAutoClassChildSrcIpDivisor | 0 | 0 | The CBQ Class object which divids the destination IP address into ranges according to its divisor for its immediate children of A… |
| 1.3.6.1.4.1.838.3.2.1.2.1.62 | xtmClassAutoClassChildDestIpDivisor | 0 | 0 | The CBQ Class object which divids the destination IP address into ranges according to its divisor for its immediate children of A… |
| 1.3.6.1.4.1.838.3.2.1.2.1.64 | xtmClassSrcBgpAsString | 0 | 0 | A string describing a complete, or partial 'Autonomyous System' in which to perform matches. This string uses a limited form of r… |
| 1.3.6.1.4.1.838.3.2.1.2.1.65 | xtmClassDestBgpAsString | 0 | 0 | A string describing a complete, or partial 'Autonomyous System' in which to perform matches. Refer to xtmClassSrcBgpAsString for… |
| 1.3.6.1.4.1.838.3.2.1.2.1.66 | xtmClassSrcBgpCommunityId | 0 | 0 | Allows matching on one of the integers listed in the BGP community attrubute list. This is only valid for routes sourced from B… |
| 1.3.6.1.4.1.838.3.2.1.2.1.67 | xtmClassDestBgpCommunityId | 0 | 0 | Allows matching on one of the integers listed in the BGP community attrubute list. This is only valid for routes sourced from B… |
| 1.3.6.1.4.1.838.3.2.1.2.1.68 | xtmClassDlTrafficClassIndices | 0 | 0 | Datalink Classification is a CBQ feature which allows you to classify traffic based on datalink information. The name is purpose… |
| 1.3.6.1.4.1.838.3.2.1.2.1.69 | xtmClassDlTrafficClassMask | 0 | 0 | A 16-bit hexadecimal mask applied when classifying datalink traffic. |
| 1.3.6.1.4.1.838.3.2.1.2.1.70 | xtmClassPolicyFwding | 0 | 0 | A textual name associated with a policy forwarding table entry. |
| 1.3.6.1.4.1.838.3.2.1.2.1.80 | xtmClassDescription | 0 | 0 | Textual name associated with this class. |
| 1.3.6.1.4.1.838.3.2.1.2.1.81 | xtmClassRedRangeMin | 0 | 0 | The CBQ Class object which sets the minimum value for the RED range of average queue sizes whereupon the system will start random… |