Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

990

Brocade Mobility RFS Controller CLI Reference Guide

53-1003098-01

14

tcp-intercept

Optional. Prevents TCP intercept attacks by using TCP SYN cookies
A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection.
Because these messages have unreachable return addresses, the connections cannot be established.
The resulting volume of unresolved open connections eventually overwhelms the server and can cause it
to deny service to valid requests, thereby preventing legitimate users from connecting to a Web site,
accessing e-mail, using FTP service, and so on.
The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP
connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN)
packets from clients to servers that match an extended access list. The software establishes a connection
with the client on behalf of the destination server, and if successful, establishes the connection with the
server on behalf of the client and knits the two half-connections together transparently. Thus, connection
attempts from unreachable hosts will never reach the server. The software continues to intercept and
forward packets throughout the duration of the connection. The number of SYNs per second and the
number of concurrent connections proxied depends on the platform, memory, processor, and other
factors. In the case of illegitimate requests, the software's aggressive timeouts on half-open connections
and its thresholds on TCP connection requests protect destination servers while still allowing valid
requests.
When establishing a security policy using TCP intercept, you can choose to intercept all requests or only
those coming from specific networks or destined for specific servers. You can also configure the
connection rate and threshold of outstanding connections. Optionally operate TCP intercept in watch
mode, as opposed to intercept mode. In watch mode, the software passively watches the connection
requests flowing through the router. If a connection fails to get established in a configurable interval, the
software intervenes and terminates the connection attempt.

tcp-null-scan

Optional. Detects TCP NULL scan attacks
Hackers use the TCP NULL scan to identify listening TCP ports. This scan also uses a series of strangely
configured TCP packets, which contain a sequence number of 0 and no flags. Again, this type of scan can
get through some firewalls and boundary routers that filter incoming TCP packets with standard flag
settings.
If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target
device's TCP port is open, the target discards the TCP NULL scan, sending no reply.

tcp-post-syn

Optional. Detects TCP post SYN DoS attacks
A remote attacker may be attempting to avoid detection by sending a SYN frame with a different sequence
number than the original SYN. This can cause an Intrusion Detection System (IDS) to become
unsynchronized with the data in a connection. Subsequent frames sent during the connection are ignored
by the IDS.

tcp-sequence-past-window

Optional. Enables a TCP SEQUENCE PAST WINDOW DoS attack check. Disable this check to work around a
bug in Windows XP's TCP stack which sends data past the window when conducting a selective ACK.

tcp-xmas-scan

Optional. A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows the attacker to
identify open ports.

tcphdrfrag

Optional. A DoS attack where the TCP header spans IP fragments

twinge

Optional. A twinge attack is a flood of false ICMP packets to try and slow down a system

udp-short-hdr

Optional. Enables the identification of truncated UDP headers and UDP header length fields

winnuke

Optional. This DoS attack is specific to Windows™ 95 and Windows™ NT.
The WINNUKE DoS attack sends a large amount of data to UDP port 137 to crash the NETBIOS service on
windows and results in high CPU utilization on the target machine.

log-and-drop

Logs the event and drops the packet

log-only

Logs the event only, the packet is not dropped

log-level

Configures the log level

<0-7>

Sets the numeric logging level

emergencies

Numerical severity 0. System is unusable