beautypg.com

Protecting against a blind injection attack, Attacks – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 328

background image

Protecting against a blind TCP reset attack using the RST bit

In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST bits to
prematurely terminate an active TCP session.

To prevent a user from using the RST bit to reset a TCP connection, the RST bit is subject to the
following rules when receiving TCP segments:

• If the RST bit is set and the sequence number is outside the expected window, the Brocade device

silently drops the segment.

• If the RST bit is exactly the next expected sequence number, the Brocade device resets the

connection.

• If the RST bit is set and the sequence number does not exactly match the next expected sequence

value, but is within the acceptable window, the Brocade device sends an acknowledgement.

Protecting against a blind TCP reset attack using the SYN bit

In a blind TCP reset attack using the SYN bit, a perpetrator attempts to guess the SYN bits to
prematurely terminate an active TCP session.

To prevent a user from using the SYN bit to tear down a TCP connection, in current software releases,
the SYN bit is subject to the following rules when receiving TCP segments:

• If the SYN bit is set and the sequence number is outside the expected window, the Brocade device

sends an acknowledgement (ACK) back to the peer.

• If the SYN bit is set and the sequence number is an exact match to the next expected sequence,

the Brocade device sends an ACK segment to the peer. Before sending the ACK segment, the
software subtracts one from the value being acknowledged.

• If the SYN bit is set and the sequence number is acceptable, the Brocade device sends an

acknowledgement (ACK) segment to the peer.

Protecting against a blind injection attack

In a blind TCP injection attack, a perpetrator tries to inject or manipulate data in a TCP connection.

To reduce the chances of a blind injection attack, an additional check on all incoming TCP segments is
performed.

Displaying statistics about packets dropped because of DoS attacks

To display information about ICMP and TCP SYN packets dropped because burst thresholds were
exceeded, enter the show statistics dos-attack command.

device#show statistics dos-attack

---------------------------- Local Attack Statistics --------------------------

ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count

--------------- ---------------- -------------- ---------------

0 0 0 0

--------------------------- Transit Attack Statistics -------------------------

Port ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count

----- --------------- ---------------- -------------- ---------------

3/11 0 0 0 0

Syntax: show statistics dos-attack

To clear statistics about ICMP and TCP SYN packets dropped because burst thresholds were
exceeded, enter the clear statistics dos-attack command.

device#clear statistics dos-attack

Protecting against a blind TCP reset attack using the RST bit

328

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: