Protecting against tcp syn attacks – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual
Page 348
330
Multi-Service IronWare Security Configuration Guide
53-1003035-02
Protecting against TCP SYN attacks
9
Multicast Router Discovery messages:
•
Multicast router advertisement (Type 151)
•
Multicast router solicitation (Type 152)
•
Multicast router termination (Type 153)
Section 4.4 of RFC 4890 also recommends that the following traffic types must not be dropped,
however these traffic types will continue to be subject to DoS attack filtering:
•
Echo request (Type 128)
•
Echo response (Type 129)
•
Certificate path solicitation (Type 148)
•
Certificate path advertisement (Type 149)
Protecting against TCP SYN attacks
TCP SYN attacks disrupt normal traffic flow by exploiting the way TCP connections are established.
When a TCP connection starts, the connecting host sends a TCP SYN packet to the destination
host. The destination host responds with a SYN ACK packet, and the connecting host sends back
an ACK packet. This process, known as a “TCP three-way handshake”, establishes the TCP
connection.
While waiting for the connecting host to send an ACK packet, the destination host keeps track of
the as-yet incomplete TCP connection in a connection queue. When the ACK packet is received,
information about the connection is removed from the connection queue. Usually there is not much
time between the destination host sending a SYN ACK packet and the source host sending an ACK
packet, so the connection queue clears quickly.
In a TCP SYN attack, an attacker floods a host with TCP SYN packets that have random source IP
addresses. For each of these TCP SYN packets, the destination host responds with a SYN ACK
packet and adds information to the connection queue. However, since the source host does not
exist, no ACK packet is sent back to the destination host, and an entry remains in the connection
queue until it ages out (after approximately one minute). If the attacker sends enough TCP SYN
packets, the connection queue can fill up, and service can be denied to legitimate TCP
connections.
To protect against TCP SYN attacks, you can configure Brocade devices to drop TCP SYN packets
when excessive numbers are encountered. You can set threshold values for TCP SYN packets that
are targeted at the device and drop them when the thresholds are exceeded, as shown in this
example.
Brocade(config)# ip tcp burst-normal 10 burst-max 100 lockup 300
Syntax: ip tcp burst-normal value burst-max value lockup seconds
The burst-normal value can be from 1 – 100000.
The burst-max value can be from 1 – 100000.
The lockup value can be from 1 – 10000.