Brocade Mobility Access Point System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

536

Brocade Mobility Access Point System Reference Guide

53-1003100-01

8

TCP Intercept

A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for
connection.
Because these messages have unreachable return addresses, the connections cannot be
established. The resulting volume of unresolved open connections eventually overwhelms
the server and can cause it to deny service to valid requests, thereby preventing legitimate
users from connecting to a Web site, accessing E-mail, using FTP service, and so on.
The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating
TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP
synchronization (SYN) packets from clients to servers that match an extended access list.
The software establishes a connection with the client on behalf of the destination server,
and if successful, establishes the connection with the server on behalf of the client and
knits the two half-connections together transparently. Thus, connection attempts from
unreachable hosts will never reach the server. The software continues to intercept and
forward packets throughout the duration of the connection. The number of SYNs per second
and the number of concurrent connections proxied depends on the platform, memory,
processor, and other factors. In the case of illegitimate requests, the software’s aggressive
timeouts on half-open connections and its thresholds on TCP connection requests protect
destination servers while still allowing valid requests.
When establishing a security policy using TCP intercept, you can choose to intercept all
requests or only those coming from specific networks or destined for specific servers. You
can also configure the connection rate and threshold of outstanding connections.
Optionally operate TCP intercept in watch mode, as opposed to intercept mode. In watch
mode, the software passively watches the connection requests flowing through the router. If
a connection fails to get established in a configurable interval, the software intervenes and
terminates the connection attempt.

TCP Null Scan

Hackers use the TCP NULL scan to identify listening TCP ports. This scan also uses a series
of strangely configured TCP packets, which contain a sequence number of 0 and no flags.
Again, this type of scan can get through some firewalls and boundary routers that filter
incoming TCP packets with standard flag settings.
If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If
the target device's TCP port is open, the target discards the TCP NULL scan, sending no
reply.

TCP Post SYN

A remote attacker may be attempting to avoid detection by sending a SYN frame with a
different sequence number than the original SYN. This can cause an Intrusion Detection
System (IDS) to become unsynchronized with the data in a connection. Subsequent frames
sent during the connection are ignored by the IDS.

TCP Packet Sequence

This is an attempt to predict the sequence number used to identify the packets in a TCP
connection, which can be used to counterfeit packets. The attacker hopes to correctly guess
the sequence number used by the sending host. If successful, they can send counterfeit
packets to the receiving host which will seem to originate from the sending host, even
though the counterfeit packets may originate from some third host controlled by the
attacker.

TCP XMAS Scan

The TCP XMAS Scan floods the target system with TCP packets including the FIN, URG, and
PUSH flags. This is used to determine details about the target system and can crash a
system.

TCP Header Fragment

Enables the TCP Header Fragment denial of service check in the firewall.

Twinge

The Twinge DoS attack sends ICMP packets and cycles through using all ICMP types and
codes. This can crash some Windows systems.

UDP Short Header

Enables the UDP Short Header denial of service check in the firewall.

WINNUKE

The WINNUKE DoS attack sends a large amount of data to UDP port 137 to crash the Net
BIOS service on windows and can also result on high CPU utilization on the target machine.