Tcp Syn Flood Attacks; The Jolt2 Attack; Distributed Dos Attacks - D-Link DFL-260E User Manual

Network security firewall netdefendos version 2.27.03
Hide thumbs Also See for DFL-260E:
Table of Contents

Advertisement

6.6.8. TCP SYN Flood Attacks

The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it
reaches protected servers.
6.6.8. TCP SYN Flood Attacks
TCP SYN flood attacks work by sending large amounts of TCP SYN packets to a given port and
then not responding to SYN ACKs sent in response. This will tie up local TCP stack resources on
the victim's web server so that it is unable to respond to more SYN packets until the existing
half-open connections have timed out.
NetDefendOS can protect against TCP SYN Flood attacks if the Syn Flood Protection option is
enabled in a service object associated with the rule in the IP rule set that triggers on the traffic. This
is also sometimes referred to as the SYN Relay option.
Flood protection is enabled automatically in the predefined services http-in, https-in, smtp-in, and
ssh-in. If a new custom service object is defined by the administrator then the flood protection
option can be enabled or disabled as desired.
The SYN Flood Defence Mechanism
Syn flood protection works by completing the 3-way handshake with the client before doing a
second handshake of its own with the target service. Overload situations have difficulty occurring in
NetDefendOS due to superior resource management and an absence of the restrictions normally
placed on other operating systems. While other operating systems can exhibit problems with as few
as 5 outstanding half-open connections, NetDefendOS can fill its entire state table before anything
out of the ordinary happens. When the state table fills up, old outstanding SYN connections will be
the first to be dropped to make room for new connections.
Spotting SYN Floods
TCP SYN flood attacks will show up in NetDefendOS logs as excessive amounts of new
connections (or drops, if the attack is targeted at a closed port). The sender IP address is almost
invariably spoofed.
ALGs Automatically Provide Flood Protection
It should be noted that SYN Flood Protection does not need to be explicitly enabled on a service
object that has an ALG associated with it. ALGs provide automatic SYN flood protection.

6.6.9. The Jolt2 Attack

The Jolt2 attack works by sending a steady stream of identical fragments at the victim machine. A
few hundred packets per second will freeze vulnerable machines completely until the stream is
ended.
NetDefendOS will protect completely against this attack. The first fragment will be queued, waiting
for earlier fragments to arrive so that they may be passed on in order, but this never happens, so not
even the first fragment gets through. Subsequent fragments will be thrown away as they are identical
to the first fragment.
If the attacker chooses a fragment offset higher than the limits imposed by the Advanced Settings >
LengthLim in NetDefendOS, the packets will not even get that far; they will be dropped
immediately. Jolt2 attacks may or may not show up in NetDefendOS logs. If the attacker chooses a
too-high fragment offset for the attack, they will show up as drops from the rule set to
"LogOversizedPackets". If the fragment offset is low enough, no logging will occur. The sender IP
address may be spoofed.

6.6.10. Distributed DoS Attacks

335
Chapter 6. Security Mechanisms

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents