Syn-Flood Attacks - HP 7102dl - ProCurve Secure Router Configuration Manual

ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network
Overview
4-10
The firewall also checks for TCP SYN packets with ACK, URG, RST, or FIN
flags and packets:
with the broadcast address for the source address
with an invalid TCP sequence number
with an enabled source route option
You do not have to configure the firewall to screen these attacks; it does so as
soon as you enable it. Equally, you cannot prevent the firewall from dropping
packets that display the signs of these attacks.
However, you can enable and disable certain optional checks, including
those for:

SYN-flood attacks

WinNuke attacks
reset attacks
You can also enable the router to check for attacks on reflexive traffic. You
will learn how to do so in "Configuring Attack Checking" on page 4-14.
ProCurve periodically updates the Secure Router operating system (SROS)
to block new attacks as these attacks are reported. You can download new
SROS software at www.hp.com/rnd/software/securerouters.htm. See the
Basic Management and Configuration Guide, Chapter 1: Overview to learn
how to update the software.
SYN-flood Attacks
SYN-flood attacks exploit the process of establishing a TCP/IP session. In a
normal session, the initiator sends a SYN packet, the responder returns a SYN/
ACK packet, and the initiator replies with an ACK packet. In a SYN-flood
attack, the attacker repeatedly sends SYN packets, but does not reply to the
responder's SYN/ACKs. The responder holds the TCP connection open, wait-
ing for ACKs that do not come. Eventually, the SYN-flood attack uses all of the
target host's resources, creating a Denial of Service (DoS). (See Figure 4-3.)
A variation of this attack creates another victim. Rather than using an unreach-
able source address, the attacker uses IP spoofing to make the packet appear
as if it were sent from a legitimate system. The target host then begins sending
SYN/ACK packets to this system, which was not involved in the attack. The
attacker can then create havoc on two or even more systems at once.