Tcp security enhancement – Brocade BigIron RX Series Configuration Guide User Manual
Page 1158
1080
BigIron RX Series Configuration Guide
53-1002484-04
Protecting against TCP SYN attacks
35
In a TCP SYN attack, an attacker floods a host with TCP SYN packets that have random source IP
addresses. For each of these TCP SYN packets, the destination host responds with a SYN ACK
packet and adds information to the connection queue. However, since the source host does not
exist, no ACK packet is sent back to the destination host, and an entry remains in the connection
queue until it ages out (after around a minute). If the attacker sends enough TCP SYN packets, the
connection queue can fill up, and service can be denied to legitimate TCP connections.
To protect against TCP SYN attacks, you can configure the device to drop TCP SYN packets when
excessive numbers are encountered. You can set threshold values for TCP SYN packets that are
targeted at the router itself or passing through an interface from interface 3/11, and drop them
when the thresholds are exceeded.
For example, to set threshold values for TCP SYN packets, enter the following commands.
BigIron RX(config)# access-list 101 permit tcp any any match-all +syn
BigIron RX(config)# interface ethernet 3/11
BigIron RX(config-if-e100-3/11)# dos-attack-prevent 101 burst-normal 5000000
burst-max 1000 lockup 300
TCP security enhancement
TCP security enhancement improves upon the handling of TCP inbound segments. The
enhancement eliminates or minimizes the possibility of a TCP reset attack, in which a perpetrator
attempts to prematurely terminate an active TCP session, and a data injection attack, wherein an
attacker injects or manipulates data in a TCP connection.
In both cases, the attack is blind, meaning the perpetrator does not have visibility into the content
of the data stream between two devices, but blindly injects traffic. Also, the attacker does not see
the direct effect, the continuing communications between the devices and the impact of the
injected packet, but may see the indirect impact of a terminated or corrupted session.
The TCP security enhancement prevents and protects against the following three types of attacks:
•
Blind TCP reset attack using the reset (RST) bit.
•
Blind TCP reset attack using the synchronization (SYN) bit
•
Blind TCP packet injection attack
The TCP security enhancement is automatically enabled. If necessary, you can disable this feature.
Refer to
“Disabling the TCP security enhancement”
Protecting against a blind TCP reset attack using the RST bit
In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST segments in
order to prematurely terminate an active TCP session.
To prevent a user from using the RST bit to reset a TCP connection, the RST bit is subject to the
following rules when receiving TCP segments:
•
If the RST bit is set and the sequence number is outside the expected window, the device
silently drops the segment.
•
If the RST bit is exactly the next expected sequence number, the device resets the connection.
•
If the RST bit is set and the sequence number does not exactly match the next expected
sequence value, but is within the acceptable window, the device sends an acknowledgement.
This TCP security enhancement is enabled by default. To disable it, refer to