Tcp syn flood attacks, The jolt2 attack – Amer Networks E5Web GUI User Manual

•

Smurf and Papasmurf type floods will be seen as ICMP Echo Responses at the victim side.
Unless FwdFast rules are in use, such packets are never allowed to initiate new connections,
regardless of whether or not there are rules that allow the traffic.

•

Fraggle packets may arrive at any UDP destination port targeted by the attacker. Tightening
the inbound rule set may help.

The Traffic Shaping feature built into cOS Core also help absorb some of the flood before it
reaches protected servers.

6.6.8. TCP SYN Flood Attacks

TCP SYN flood attacks work by sending large amounts of TCP SYN packets to a given port and
then not responding to SYN ACKs sent in response. This will tie up local TCP stack resources on
the victim's web server so that it is unable to respond to more SYN packets until the existing
half-open connections have timed out.

cOS Core can protect against TCP SYN Flood attacks if the Syn Flood Protection option is enabled
in a service object associated with the rule in the IP rule set that triggers on the traffic. This is also
sometimes referred to as the SYN Relay option.

Flood protection is enabled automatically in the predefined services http-in, https-in, smtp-in,
and ssh-in. If a new custom service object is defined by the administrator then the flood
protection option can be enabled or disabled as desired.

The SYN Flood Defence Mechanism

Syn flood protection works by completing the 3-way handshake with the client before doing a
second handshake of its own with the target service. Overload situations have difficulty
occurring in cOS Core due to superior resource management and an absence of the restrictions
normally placed on other operating systems. While other operating systems can exhibit
problems with as few as 5 outstanding half-open connections, cOS Core can fill its entire state
table before anything out of the ordinary happens. When the state table fills up, old outstanding
SYN connections will be the first to be dropped to make room for new connections.

Spotting SYN Floods

TCP SYN flood attacks will show up in cOS Core logs as excessive amounts of new connections
(or drops, if the attack is targeted at a closed port). The sender IP address is almost invariably
spoofed.

ALGs Automatically Provide Flood Protection

It should be noted that SYN Flood Protection does not need to be explicitly enabled on a service
object that has an ALG associated with it. ALGs provide automatic SYN flood protection.

6.6.9. The Jolt2 Attack

The Jolt2 type attack works by sending a steady stream of identical fragments at the victim
machine. A few hundred packets per second can freeze vulnerable machines completely until
the stream is ended.

cOS Core will protect completely against this attack. The first fragment will be queued, waiting
for earlier fragments to arrive so that they may be passed on in order, but this never happens, so
not even the first fragment gets through. Subsequent fragments will be thrown away as they are
identical to the first fragment.

Chapter 6: Security Mechanisms

484