Ttacks - HP ProCurve 9304M Security Manual

• If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for the number of
seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and
measurement is restarted.
In the example above, if the number of ICMP packets received per second exceeds 5,000, the excess packets are
dropped. If the number of ICMP packets received per second exceeds 10,000, the device drops all ICMP packets
for the next 300 seconds (five minutes).
Protecting Against TCP SYN Attacks
TCP SYN attacks exploit the process of how TCP connections are established in order to disrupt normal traffic
flow. When a TCP connection starts, the connecting host first sends a TCP SYN packet to the destination host.
The destination host responds with a SYN ACK packet, and the connecting host sends back an ACK packet. This
process, known as a "TCP three-way handshake", establishes the TCP connection.
While waiting for the connecting host to send an ACK packet, the destination host keeps track of the as-yet
incomplete TCP connection in a connection queue. When the ACK packet is received, information about the
connection is removed from the connection queue. Usually there is not much time between the destination host
sending a SYN ACK packet and the source host sending an ACK packet, so the connection queue clears quickly.
In a TCP SYN attack, an attacker floods a host with TCP SYN packets that have random source IP addresses.
For each of these TCP SYN packets, the destination host responds with a SYN ACK packet and adds information
to the connection queue. However, since the source host does not exist, no ACK packet is sent back to the
destination host, and an entry remains in the connection queue until it ages out (after around a minute). If the
attacker sends enough TCP SYN packets, the connection queue can fill up, and service can be denied to
legitimate TCP connections.
To protect against TCP SYN attacks, you can configure the HP device to drop TCP SYN packets when excessive
numbers are encountered. You can set threshold values for TCP SYN packets that are targeted or passing
through an interface, and drop them when the thresholds are exceeded.
For example, to set threshold values for TCP SYN packets targeted , enter the following command in CONFIG
mode:
ProCurveRS(config)# ip tcp burst-normal 10 burst-max 100 lockup 300
To set threshold values for TCP SYN packets received on interface 3/11:
ProCurveRS(config)# int e 3/11
ProCurveRS(config-if-e100-3/11)# ip tcp burst-normal 10 burst-max 100 lockup 300
Syntax: ip tcp burst-normal <value> burst-max <value> lockup <seconds>
The burst-normal value can be from 1 – 100000.
The burst-max value can be from 1 – 100000.
The lockup value can be from 1 – 10000.
NOTE: The ip tcp burst-normal command is available at the global CONFIG level and .
The number of incoming TCP SYN packets per second are measured and compared to the threshold values as
follows:
• If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are
dropped.
• If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped for the
number of seconds specified by the lockup value. When the lockup period expires, the packet counter is
reset and measurement is restarted.
In the example above, if the number of TCP SYN packets received per second exceeds 10, the excess packets are
dropped. If the number of TCP SYN packets received per second exceeds 100, the device drops all TCP SYN
packets for the next 300 seconds (five minutes).
June 2005
Protecting Against Denial of Service Attacks
7 - 3