Tcp security enhancement – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 327

Advertising
background image

NOTE
For ICX 7750 devices, the "attack rate" parameter is only applicable for smurf attacks and not for
TCP/SYN attacks.

To set threshold values for TCP/SYN packets received on VE 31, enter commands such as the
following.

device(config)#interface ve 31

device(config-vif-31)#ip tcp burst-normal 5000 burst-max 10000 lockup 300

Syntax: ip tcp burst-normal value burst-max value lockup seconds

NOTE
This command is available at the global CONFIG level on both Chassis devices and Compact devices.
On Chassis devices, this command is available at the Interface level as well. This command is
supported on Ethernet and Layer 3 interfaces.

The burst-normalvalue parameter can be from 1 - 100,000 packets per second.

The burst-maxvalue parameter can be from 1 - 100,000 packets per second.

The lockupseconds parameter can be from 1 - 10,000 seconds.

The number of incoming TCP SYN packets per second is measured and compared to the threshold
values as follows:

• If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets

are dropped.

• If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped

for the number of seconds specified by the lockup value. When the lockup period expires, the packet
counter is reset and measurement is restarted.

In the example, if the number of TCP SYN packets received per second exceeds 10, the excess
packets are dropped. If the number of TCP SYN packets received per second exceeds 100, the device
drops all TCP SYN packets for the next 300 seconds (5 minutes).

TCP security enhancement

TCP security enhancement improves upon the handling of TCP inbound segments. This enhancement
eliminates or minimizes the possibility of a TCP reset attack, in which a perpetrator attempts to
prematurely terminate an active TCP session, and a data injection attack, wherein an attacker injects or
manipulates data in a TCP connection.

In both cases, the attack is blind, meaning the perpetrator does not have visibility into the content of the
data stream between two devices, but blindly injects traffic. Also, the attacker does not see the direct
effect, the continuing communications between the devices and the impact of the injected packet, but
may see the indirect impact of a terminated or corrupted session.

The TCP security enhancement prevents and protects against the following three types of attacks:

• Blind TCP reset attack using the reset (RST) bit
• Blind TCP reset attack using the synchronization (SYN) bit
• Blind TCP packet injection attack

The TCP security enhancement is automatically enabled.

TCP security enhancement

FastIron Ethernet Switch Security Configuration Guide

327

53-1003088-03

Advertising
Popular Brands
Popular manuals