Protecting Against Tcp Out Of Order Dos Attacks - Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP-IPV6-IGP CONFIGURATION GUIDE 2010-10-31 Configuration Manual

tcp paws-disable

Protecting Against TCP Out of Order DoS Attacks

Copyright © 2010, Juniper Networks, Inc.
acknowledgement sent, the host updates its internal timer with the new timestamp and
passes the segment on for further processing.
If the host detects a segment timestamp that is smaller than the value of the last valid
timestamp or the sequence number is greater than the last acknowledgement sent, the
host rejects the segment.
A remote attacker can potentially determine the source and destination ports and IP
addresses of both hosts that are engaged in an active connection. With this information,
the attacker might be able to inject a specially crafted segment into the connection that
contains a fabricated timestamp value. When the host receives this fabricated timestamp,
it changes its internal timer value to match. If this timestamp value is larger than
subsequent timestamp values from valid incoming segments, the host determines the
incoming segments as being too old and discards them. The flow of data between hosts
eventually stops, resulting in a denial of service condition.
Use the tcp paws-disable command to disable PAWS processing.
NOTE: Disabling PAWS does not disable other processing related to the TCP
timestamp option. This means that even though you disable PAWS, a
fabricated timestamp that already exists in the network can still pollute the
database and result in a successful DoS attack. Enabling PAWS resets the
saved timestamp state for all connections in the virtual router and stops any
existing attack.
Use to disable the Protect Against Wrapped Sequence (PAWS) number option in TCP
segments.
You can specify a VRF context for which you want PAWS disabled.
Example
host1(config)#tcp paws-disable
Use the no version to restore PAWS processing (the default mode).
See tcp paws-disable
You can use the group of tcp resequence-buffers commands to help protect the router
from TCP out-of-order DoS attacks.
TCP guarantees that applications receive data in order. This means that TCP buffers any
out-of-order packets it receives until ordered delivery can occur. To prevent buffers from
consuming too many resources, TCP limits the amount of data it accepts to the number
of data bytes that the receiver is willing to receive and buffer.
TCP does not take into account the buffering scheme that the receiver uses. If the receiver
uses a fixed-size receive buffer (that is, buffering all packets) regardless of length, a
Chapter 1: Configuring IP
51