Protecting against tcp syn attacks, Protection against tcp-syn attacks, Protecting against tcp syn attacks 5 – Brocade TurboIron 24X Series Configuration Guide User Manual
Page 1059
Brocade TurboIron 24X Series Configuration Guide
1025
53-1003053-01
Protecting against TCP SYN attacks
Protecting against TCP SYN attacks
TCP SYN attacks exploit the process of how TCP connections are established in order to disrupt
normal traffic flow. When a TCP connection starts, the connecting host first sends a TCP SYN
packet to the destination host. The destination host responds with a SYN ACK packet, and the
connecting host sends back an ACK packet. This process, known as a “TCP three-way handshake”,
establishes the TCP connection.
While waiting for the connecting host to send an ACK packet, the destination host keeps track of
the as-yet incomplete TCP connection in a connection queue. When the ACK packet is received,
information about the connection is removed from the connection queue. Usually there is not
much time between the destination host sending a SYN ACK packet and the source host sending
an ACK packet, so the connection queue clears quickly.
In a TCP SYN attack, an attacker floods a host with TCP SYN packets that have random source IP
addresses. For each of these TCP SYN packets, the destination host responds with a SYN ACK
packet and adds information to the connection queue. However, since the source host does not
exist, no ACK packet is sent back to the destination host, and an entry remains in the connection
queue until it ages out (after around a minute). If the attacker sends enough TCP SYN packets, the
connection queue can fill up, and service can be denied to legitimate TCP connections.
Protection against TCP-SYN attacks
The TCP-SYN flood attack protection is implemented in hardware on devices. The protection against
TCP SYN flood assume that the TCP SYN packet size is 74 bytes, which includes L2, IPv4 , and TCP
header. If packet size of the attack exceeds the limit, the TCP attack protection takes effect faster
than the configured burst values.
To protect against TCP SYN attacks, you can configure the device to drop TCP SYN packets when
excessive numbers are encountered. You can set threshold values for TCP SYN packets that are
targeted at the router itself or passing through an interface, and drop them when the thresholds
are exceeded.
For example, to set threshold values for TCP SYN packets targeted at the router, enter the following
command in CONFIG mode.
TurboIron(config)#ip tcp burst-normal 30 burst-max 100 lockup 300
To set threshold values for TCP SYN packets received on interface 11, enter the following
command.
TurboIron(config)#int e 11
TurboIron(config-if-e10000-11)#ip tcp burst-normal 30 burst-max 100 lockup 300
Syntax: ip tcp burst-normal <value> burst-max <value> lockup <seconds>
NOTE
This command is available at the global CONFIG level on both Chassis devices and Stackable
devices. On Chassis devices, this command is available at the Interface level as well. This command
is supported on Ethernet and Layer 3 ATM interfaces.
The burst-normal value ranges from 1 through 100000.
The burst-max value ranges from 1 through 100000.
The lockup value ranges from 1 through 10000.