Brocade Communications Systems Brocade ICX 6650 6650 Manuel D’Utilisation
Brocade ICX 6650 Security Configuration Guide
271
53-1002601-01
TCP SYN attacks
The TCP security enhancement prevents and protects against the following three types of attacks:
•
Blind TCP reset attack using the reset (RST) bit
•
Blind TCP reset attack using the synchronization (SYN) bit
•
Blind TCP packet injection attack
The TCP security enhancement is automatically enabled.
Protecting against a blind TCP reset attack using the RST bit
In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST bits to
prematurely terminate an active TCP session.
prematurely terminate an active TCP session.
To prevent a user from using the RST bit to reset a TCP connection, the RST bit is subject to the
following rules when receiving TCP segments:
following rules when receiving TCP segments:
•
If the RST bit is set and the sequence number is outside the expected window, the Brocade
device silently drops the segment.
device silently drops the segment.
•
If the RST bit is exactly the next expected sequence number, the Brocade device resets the
connection.
connection.
•
If the RST bit is set and the sequence number does not exactly match the next expected
sequence value, but is within the acceptable window, the Brocade device sends an
acknowledgement.
sequence value, but is within the acceptable window, the Brocade device sends an
acknowledgement.
Protecting against a blind TCP reset attack using the SYN bit
In a blind TCP reset attack using the SYN bit, a perpetrator attempts to guess the SYN bits to
prematurely terminate an active TCP session.
prematurely terminate an active TCP session.
To prevent a user from using the SYN bit to tear down a TCP connection, in current software
releases, the SYN bit is subject to the following rules when receiving TCP segments:
releases, the SYN bit is subject to the following rules when receiving TCP segments:
•
If the SYN bit is set and the sequence number is outside the expected window, the Brocade
device sends an acknowledgement (ACK) back to the peer.
device sends an acknowledgement (ACK) back to the peer.
•
If the SYN bit is set and the sequence number is an exact match to the next expected
sequence, the Brocade device sends an ACK segment to the peer. Before sending the ACK
segment, the software subtracts one from the value being acknowledged.
sequence, the Brocade device sends an ACK segment to the peer. Before sending the ACK
segment, the software subtracts one from the value being acknowledged.
•
If the SYN bit is set and the sequence number is acceptable, the Brocade device sends an
acknowledgement (ACK) segment to the peer.
acknowledgement (ACK) segment to the peer.
Protecting against a blind injection attack
In a blind TCP injection attack, a perpetrator tries to inject or manipulate data in a TCP connection.
To reduce the chances of a blind injection attack, an additional check on all incoming TCP
segments is performed.
segments is performed.
Displaying statistics about packets dropped
because of DoS attacks
because of DoS attacks
To display information about ICMP and TCP SYN packets dropped because burst thresholds were
exceeded, enter the show statistics dos-attack command.
exceeded, enter the show statistics dos-attack command.