Denial of service defense overview, Syn flood attack – Allied Telesis AT-S62 User Manual

AT-S62 User’s Guide

Section II: Advanced Operations

213

Denial of Service Defense Overview

The AT-S62 management software can help protect your network
against the following types of Denial of Service attacks.

❑ SYN Flood Attack

❑ SMURF Attack

❑ Land Attack

❑ Teardrop Attack

❑ Ping of Death Attack

❑ IP Options Attack

The following subsections briefly describe each type of attack and the
mechanism employed by the AT-S62 management software to protect
your network.

Note

Be sure to read the following descriptions before implementing a
DoS defense on a switch. Some defense mechanisms are CPU
intensive and can impact switch behavior.

SYN Flood

Attack

In this type of attack, an attacker sends a large number of TCP
connection requests (TCP SYN packets) with bogus source addresses to
the victim. The victim responds with acknowledgements (SYN ACK
packets), but since the original source addresses are bogus, the victim
node does not receive any replies. If the attacker sends enough requests
in a short enough period, the victim may freeze operations when the
number of requests exceeds the capacity of its connections queue.

To defend against this form of attack, a switch port monitors the number
of ingress TCP connection requests it receives. If a port receives more
than 60 requests per second, the following occurs.

❑ The switch sends a SNMP trap to the management workstations

❑ The port discards all ingress TCP-SYN packets for one minute.

However, the port continues to allow existing TCP connections to
go through.

This defense mechanism does not involve the switch’s CPU. You can
activate it on as many ports as you want without it impacting switch
performance.