Brocade Mobility RFS Controller System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

570

Brocade Mobility RFS Controller System Reference Guide

53-1003099-01

10

3. Select OK to update the Denial of Service settings. Select Reset to revert to the last saved

configuration.

TCP FIN Scan

Hackers use the TCP FIN scan to identify listening TCP port numbers based on how the target device
reacts to a transaction close request for a TCP port (even though no connection may exist before these
close requests are made). This type of scan can get through basic firewalls and boundary routers that
filter on incoming TCP packets with the Finish (FIN) and ACK flag combination. The TCP packets used in
this scan include only the TCP FIN flag setting.
If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target
device's TCP port is open, the target device discards the FIN and sends no reply.

TCP Intercept

A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection.
Because these messages have unreachable return addresses, the connections cannot be established.
The resulting volume of unresolved open connections eventually overwhelms the server and can cause it
to deny service to valid requests, thereby preventing legitimate users from connecting to a Web site,
accessing email, using FTP service, and so on.
The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP
connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN)
packets from clients to servers that match an extended access list. The software establishes a
connection with the client on behalf of the destination server, and if successful, establishes the
connection with the server on behalf of the client and knits the two half-connections together
transparently. Thus, connection attempts from unreachable hosts will never reach the server. The
software continues to intercept and forward packets throughout the duration of the connection. The
number of SYNs per second and the number of concurrent connections proxied depends on the platform,
memory, processor, and other factors. In the case of illegitimate requests, the software’s aggressive
timeouts on half-open connections and its thresholds on TCP connection requests protect destination
servers while still allowing valid requests.
When establishing a security policy using TCP intercept, you can choose to intercept all requests or only
those coming from specific networks or destined for specific servers. You can also configure the
connection rate and threshold of outstanding connections. Optionally operate TCP intercept in watch
mode, as opposed to intercept mode. In watch mode, the software passively watches the connection
requests flowing through the router. If a connection fails to get established in a configurable interval, the
software intervenes and terminates the connection attempt.

TCP Null Scan

Hackers use the TCP NULL scan to identify listening TCP ports. This scan also uses a series of strangely
configured TCP packets, which contain a sequence number of 0 and no flags. Again, this type of scan can
get through some firewalls and boundary routers that filter incoming TCP packets with standard flag
settings.
If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target
device's TCP port is open, the target discards the TCP NULL scan, sending no reply.

TCP Post SYN

A remote attacker may be attempting to avoid detection by sending a SYN frame with a different sequence
number than the original SYN. This can cause an Intrusion Detection System (IDS) to become
unsynchronized with the data in a connection. Subsequent frames sent during the connection are ignored
by the IDS.

TCP XMAS Scan

The TCP XMAS Scan floods the target system with TCP packets including the FIN, URG, and PUSH flags.
This is used to determine details about the target system and can crash a system.

TCP Header Fragment

Enables the TCP Header Fragment denial of service check in the firewall.

Twinge

The Twinge DoS attack sends ICMP packets and cycles through using all ICMP types and codes. This can
crash some Windows systems.

UDP Short Header

Enables the UDP Short Header denial of service check in the firewall.

WINNUKE

The WINNUKE DoS attack sends a large amount of data to UDP port 137 to crash the NETBIOS service on
windows and can also result on high CPU utilization on the target machine.