Protecting against tcp syn attacks, Protecting against tcp syn attacks 9 – Brocade BigIron RX Series Configuration Guide User Manual

BigIron RX Series Configuration Guide

1079

53-1002484-04

Protecting against TCP SYN attacks

35

The burst-max value, 1 – 100000, is specified as number of packets.

The lockup value can be from 1 – 10000 seconds.

The number of incoming ICMP packets that match the condition specified in the ACL per second
are measured and compared to the threshold values as follows:

•

If the total traffic volume (in bits per second) of packets that match the condition specified in
the ACL exceeds the burst-normal value, the excess packets are dropped.

•

If the number of packets that match the condition specified in the ACL exceeds the burst-max
value, all packets that match the condition specified in the ACL are dropped for the number of
seconds specified by the lockup value. When the lockup period expires, the packet counter is
reset, and measurement is restarted.

When a port is locked up by dos-attack prevention, two types of syslog messages will be generated.
The first type of messages will be generated at the time the port is shut down for the matched
traffic flow to indicate the port shutdown activity and the period of shutdown. The following is a
sample output.

Jun 23 00:40:20:N:Incoming traffic in interface 3/5 exceedes 1500 burst packets,

stopping for 30 seconds!!

The second type of messages will log the headers of the packets that are dropping during the
lockup period. Note that this kind of messages are rate-limited to avoid overloading the syslog
buffer. By default the same kind of packets will only be logged once every five seconds. The rate of
the messages can be changed by the ip access-list logging-age command, which also controls the
logging timer for ACL. The following is a sample output.

Jun 23 00:37:58:I:list 120 denied icmp 55.55.55.1()(Ethernet 3/5 0000.0000.0011)

-

>

14.14.14.1(), 1 event(s)

Note that:

•

This feature is supported on Ethernet(physical) interfaces only.

•

Only the permit clauses (filters) are used in this feature. Deny clauses are ignored.

Protecting against TCP SYN attacks

TCP SYN attacks exploit the process of how TCP connections are established in order to disrupt
normal traffic flow. When a TCP connection starts, the connecting host first sends a TCP SYN
packet to the destination host. The destination host responds with a SYN ACK packet, and the
connecting host sends back an ACK packet. This process, known as a “TCP three-way handshake”,
establishes the TCP connection.

While waiting for the connecting host to send an ACK packet, the destination host keeps track of
the as-yet incomplete TCP connection in a connection queue. When the ACK packet is received,
information about the connection is removed from the connection queue. Usually there is not
much time between the destination host sending a SYN ACK packet and the source host sending
an ACK packet, so the connection queue clears quickly.