Protecting against udp attacks, Disabling the tcp security enhancement, Disabling the tcp – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual
Page 350: Security enhancement, Protecting against a blind injection attack
332
Multi-Service IronWare Security Configuration Guide
53-1003035-02
Protecting against TCP SYN attacks
9
Protecting against a blind TCP reset attack using the SYN bit
For a blind TCP reset attack, the attacker tries to guess the SYN bits to terminate an active TCP
session.To protect against this type of attack, the SYN bit is subject to the following rules during
arrival of TCP segments:
•
If the SYN bit is set and the sequence number is outside the expected window, the device
sends an ACK to the peer.
•
If the SYN bit is set and the sequence number is an exact match to the next expected
sequence, the device sends an ACK segment to the peer. Before sending the ACK segment, the
software subtracts a 1 from the value being acknowledged.
•
If the SYN bit is set and the sequence number is acceptable, the device sends an ACK segment
to the peer.
This TCP security enhancement is enabled by default. To disable it, refer to
Protecting against a blind injection attack
In a blind TCP injection attack, the attacker tries to inject or manipulate data in a TCP connection.
To reduce the chances of a blind injection attack, an additional check is performed on all incoming
TCP segments.
This TCP security enhancement is enabled by default. To disable it, refer to
Disabling the TCP security enhancement
The TCP security enhancement is enabled by default. If necessary, you can disable this feature.
When you disable this feature, the device reverts to the original behavior.
To disable the TCP security enhancement, enter the following command at the Global CONFIG level
of the CLI.
Brocade(config)# no ip tcp tcp-security
To re-enable the TCP security enhancement after it has been disabled, enter the following
command.
Brocade(config)# ip tcp tcp-security
Syntax: [no] ip tcp tcp-security
Protecting against UDP attacks
To protect against UDP attacks, you can configure Brocade devices to drop UDP packets when
excessive numbers are encountered. You can set threshold values for UDP packets that are
targeted at the device and drop them when the thresholds are exceeded.
In this example, if the number of UDP packets received per second exceeds 5,000, the excess
packets are dropped. If the number of UDP packets received per second exceeds 10,000, the
device drops all UDP packets for the next 300 seconds (five minutes).
Brocade(config)# ip udp burst-normal 5000 burst-max 10000 lockup 300
Syntax: [no] ip udp burst-normal value burst-max value lockup seconds
The burst-normal value can be from 1 – 100000.