Motorola WiNG 5 System Reference Manual page 466

8 - 6 WiNG 5 Access Point System Reference Guide
TCP Intercept
TCP Null Scan
TCP Post SYN
A SYN-flooding attack occurs when a hacker floods a server with a barrage
of requests for connection.
Because these messages have unreachable return addresses, the
connections cannot be established. The resulting volume of unresolved
open connections eventually overwhelms the server and can cause it to
deny service to valid requests, thereby preventing legitimate users from
connecting to a Web site, accessing e-mail, using FTP service, and so on.
The TCP intercept feature helps prevent SYN-flooding attacks by
intercepting and validating TCP connection requests. In intercept mode,
the TCP intercept software intercepts TCP synchronization (SYN) packets
from clients to servers that match an extended access list. The software
establishes a connection with the client on behalf of the destination server,
and if successful, establishes the connection with the server on behalf of
the client and knits the two half-connections together transparently. Thus,
connection attempts from unreachable hosts will never reach the server.
The software continues to intercept and forward packets throughout the
duration of the connection. The number of SYNs per second and the
number of concurrent connections proxied depends on the platform,
memory, processor, and other factors. In the case of illegitimate requests,
the software's aggressive timeouts on half-open connections and its
thresholds on TCP connection requests protect destination servers while
still allowing valid requests.
When establishing a security policy using TCP intercept, you can choose to
intercept all requests or only those coming from specific networks or
destined for specific servers. You can also configure the connection rate
and threshold of outstanding connections. Optionally operate TCP
intercept in watch mode, as opposed to intercept mode. In watch mode,
the software passively watches the connection requests flowing through
the router. If a connection fails to get established in a configurable interval,
the software intervenes and terminates the connection attempt.
Hackers use the TCP NULL scan to identify listening TCP ports. This scan
also uses a series of strangely configured TCP packets, which contain a
sequence number of 0 and no flags. Again, this type of scan can get
through some firewalls and boundary routers that filter incoming TCP
packets with standard flag settings.
If the target device's TCP port is closed, the target device sends a TCP RST
packet in reply. If the target device's TCP port is open, the target discards
the TCP NULL scan, sending no reply.
A remote attacker may be attempting to avoid detection by sending a SYN
frame with a different sequence number than the original SYN. This can
cause an Intrusion Detection System (IDS) to become unsynchronized with
the data in a connection. Subsequent frames sent during the connection
are ignored by the IDS.