Tcp Security Enhancement - Dell PowerConnect B-RX Configuration Manual
Bigiron rx series configuration guide v02.7.02
Hide thumbs
Also See for PowerConnect B-RX:
- Configuration manual (1458 pages) ,
- Getting started manual (32 pages) ,
- Installation manual (240 pages)
Table of Contents
Advertisement
34
Protecting against TCP SYN attacks
To protect against TCP SYN attacks, you can configure the BigIron RX to drop TCP SYN packets
when excessive numbers are encountered. You can set threshold values for TCP SYN packets that
are targeted at the router itself or passing through an interface from interface 3/11, and drop them
when the thresholds are exceeded.
For example, to set threshold values for TCP SYN packets, enter the following commands.
BigIron RX(config)# access-list 101 permit tcp any any match-all +syn
BigIron RX(config)# int e 3/11
BigIron RX(config-if-e100-3/11)# dos-attack-prevent 101 burst-normal 5000000
burst-max 1000 lockup 300
TCP security enhancement
TCP security enhancement improves upon the handling of TCP inbound segments. The
enhancement eliminates or minimizes the possibility of a TCP reset attack, in which a perpetrator
attempts to prematurely terminate an active TCP session, and a data injection attack, wherein an
attacker injects or manipulates data in a TCP connection.
In both cases, the attack is blind, meaning the perpetrator does not have visibility into the content
of the data stream between two devices, but blindly injects traffic. Also, the attacker does not see
the direct effect, the continuing communications between the devices and the impact of the
injected packet, but may see the indirect impact of a terminated or corrupted session.
The TCP security enhancement prevents and protects against the following three types of attacks:
•
•
•
The TCP security enhancement is automatically enabled. If necessary, you can disable this feature.
Refer to
Protecting against a blind TCP reset attack using the RST bit
In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST segments in
order to prematurely terminate an active TCP session.
To prevent a user from using the RST bit to reset a TCP connection, the RST bit is subject to the
following rules when receiving TCP segments:
•
•
•
This TCP security enhancement is enabled by default. To disable it, refer to
security enhancement"
986
Blind TCP reset attack using the reset (RST) bit.
Blind TCP reset attack using the synchronization (SYN) bit
Blind TCP packet injection attack
"Disabling the TCP security enhancement"
If the RST bit is set and the sequence number is outside the expected window, the BigIron RX
silently drops the segment.
If the RST bit is exactly the next expected sequence number, the BigIron RX resets the
connection.
If the RST bit is set and the sequence number does not exactly match the next expected
sequence value, but is within the acceptable window, the BigIron RX sends an
acknowledgement.
on page 987.
on page 987.
"Disabling the TCP
BigIron RX Series Configuration Guide
53-1001810-01
Advertisement
Table of Contents
