R Elease 07.6.06 - HP ProCurve 9304M Security Manual

Security Guide for ProCurve 9300/9400 Series Routing Switches
TCP Security Enhancement in Release 07.6.06
Software releases 07.6.06 and later provide a TCP security enhancement that improves upon the handling of TCP
inbound segments. This enhancement eliminates or minimizes the possibility of a TCP reset attack, in which a
perpetrator attempts to prematurely terminate an active TCP session, and a data injection attack, wherein an
attacker injects or manipulates data in a TCP connection.
In both cases, the attack is blind, meaning the perpetrator does not have visibility into the content of the data
stream between two devices, but blindly injects traffic. Also, the attacker does not see the direct effect, the
continuing communications between the devices and the impact of the injected packet, but may see the indirect
impact of a terminated or corrupted session.
The TCP security enhancement prevents and protects against the following three types of attacks:
• Blind TCP reset attack using the reset (RST) bit.
• Blind TCP reset attack using the synchronization (SYN) bit
• Blind TCP packet injection attack
The TCP security enhancement is automatically enabled in software releases 07.6.06 and later. If necessary, you
can disable this feature. See "Disabling the TCP Security Enhancement" on page 7-5.
Protecting Against a Blind TCP Reset Attack Using the RST Bit
In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST segments in order to
prematurely terminate an active TCP session.
Software releases prior to 07.6.06 apply the following rules to the RST bit when receiving TCP segments:
• If the RST bit is set and the sequence number is outside the expected window, the HP device silently drops
the segment.
• If the RST bit is set and the sequence number is within the acceptable range, the HP device resets the
connection
To prevent a user from using the RST bit to reset a TCP connection, in software releases 07.6.06 and later, the
RST bit is subject to the following rules when receiving TCP segments:
• If the RST bit is set and the sequence number is outside the expected window, the HP device silently drops
the segment.
• If the RST bit is exactly the next expected sequence number, the HP device resets the connection.
• If the RST bit is set and the sequence number does not exactly match the next expected sequence value, but
is within the acceptable window, the HP device sends an acknowledgement.
This TCP security enhancement is enabled by default in software releases 07.6.06 and later. To disable it, see
"Disabling the TCP Security Enhancement" on page 7-5.
Protecting Against a Blind TCP Reset Attack Using the SYN Bit
In a blind TCP reset attack, a perpetrator attempts to guess the SYN bits to prematurely terminate an active TCP
session.
Software releases prior to 07.6.06 apply the following rules to the SYN bit when receiving TCP segments:
• If the SYN bit is set and the sequence number is outside the expected window, the HP device sends an ACK
back to the sender.
• If the SYN bit is set and the sequence number is acceptable, the HP device sends a RST segment to the
peer.
To prevent a user from using the SYN bit to tear down a TCP connection, in software releases 07.6.06 and later,
the SYN bit is subject to the following rules when receiving TCP segments:
• If the SYN bit is set and the sequence number is outside the expected window, the HP device sends an
acknowledgement (ACK) back to the peer.
• If the SYN bit is set and the sequence number is an exact match to the next expected sequence, the HP
7 - 4 June 2005