beautypg.com

Tcp security enhancement – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 349

background image

Multi-Service IronWare Security Configuration Guide

331

53-1003035-02

Protecting against TCP SYN attacks

9

The number of incoming TCP SYN packets per second is measured and compared to the threshold
values as follows:

If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets
are dropped.

If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are
dropped for the number of seconds specified by the lockup value. When the lockup period
expires, the packet counter is reset and measurement is restarted.
In this example, if the number of TCP SYN packets received per second exceeds 10, the excess
packets are dropped. If the number of TCP SYN packets received per second exceeds 100, the
device drops all TCP SYN packets for the next 300 seconds (five minutes).

When incoming TCP SYN packets exceed the burst-max value, the following message is logged.

<date> <time>:N:Local TCP exceeds <burst-max> burst packets, stopping for <lockup>

seconds!!

TCP security enhancement

A TCP security enhancement improves the way TCP inbound segments are handled. This
enhancement eliminates or minimizes the possibility of a TCP reset attack, in which a perpetrator
attempts to prematurely terminate an active TCP session, and a data injection attack, where an
attacker injects or manipulates data in a TCP connection.

In both cases, the attack is blind, meaning the perpetrator does not have visibility into the content
of the data stream between two devices, but blindly injects traffic. The attacker also does not see
the direct effect (the continuing communications between the devices and the impact of the
injected packet) but may see the indirect impact of a terminated or corrupted session.

The TCP security enhancement prevents and protects against the following types of attacks:

Blind TCP reset attack using the reset (RST) bit.

Blind TCP reset attack using the synchronization (SYN) bit

Blind TCP data injection attack

The TCP security enhancement is automatically enabled. If necessary, you can disable this feature.
Refer to

“Disabling the TCP security enhancement”

.

Protecting against a blind TCP reset attack using the RST bit

In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST segments to
prematurely terminate an active TCP session.

To prevent a user from using the RST bit to reset a TCP connection, the RST bit is subject to the
following rules when receiving TCP segments:

If the RST bit is set and the sequence number is outside the expected window, the device
silently drops the segment.

If the RST bit is exactly the next expected sequence number, the device resets the connection.

If the RST bit is set and the sequence number does not exactly match the next expected
sequence value, but is within the acceptable window, the device sends an acknowledgement
(ACK).

The TCP security enhancement is enabled by default. To disable it, refer to

“Disabling the TCP

security enhancement”

.

See also other documents in the category Brocade Computer Accessories: