Preventing Tcp Paws Timestamp Dos Attacks - Juniper IGP - CONFIGURATION GUIDE V11.1.X Configuration Manual

Preventing TCP PAWS Timestamp DoS Attacks

The TCP Protect Against Wrapped Sequence (PAWS) number option works by
including the TCP timestamp option in all TCP headers to help validate the packet
sequence number.
Normally, in PAWS packets that have the timestamps option enabled, hosts use an
internal timer to compare the value of the timestamp associated with incoming
segments against the last valid timestamp the host recorded. If the segment timestamp
is larger than the value of the last valid timestamp, and the sequence number is less
than the last acknowledgement sent, the host updates its internal timer with the new
timestamp and passes the segment on for further processing.
If the host detects a segment timestamp that is smaller than the value of the last
valid timestamp or the sequence number is greater than the last acknowledgement
sent, the host rejects the segment.
A remote attacker can potentially determine the source and destination ports and
IP addresses of both hosts that are engaged in an active connection. With this
information, the attacker might be able to inject a specially crafted segment into the
connection that contains a fabricated timestamp value. When the host receives this
fabricated timestamp, it changes its internal timer value to match. If this timestamp
value is larger than subsequent timestamp values from valid incoming segments,
the host determines the incoming segments as being too old and discards them. The
flow of data between hosts eventually stops, resulting in a denial of service condition.
Use the tcp paws-disable command to disable PAWS processing.
NOTE: Disabling PAWS does not disable other processing related to the TCP
timestamp option. This means that even though you disable PAWS, a fabricated
timestamp that already exists in the network can still pollute the database and result
in a successful DoS attack. Enabling PAWS resets the saved timestamp state for all
connections in the virtual router and stops any existing attack.
tcp paws-disable
Use to help protect the router from TCP RST and SYN denial of service attacks.
Example
host1(config)#tcp ack-rst-and-syn
Use the no version to disable this protection (the default mode).
See tcp ack-rst-and-syn
Use to disable the Protect Against Wrapped Sequence (PAWS) number option
in TCP segments.
You can specify a VRF context for which you want PAWS disabled.
Example
Chapter 2: Configuring IPv6
IPv6 TCP Configuration
147