Denial Of Service Protection - Alcatel-Lucent Security Management Server (SMS) Release 9.4 Technical Overview

Alcatel-Lucent VPN Firewall Brick

Denial of Service Protection

...................................................................................................................................................................................................................................
Overview
Denial of Service can be directed at two distinct points in the network: (1) at the
protected hosts, such as web servers etc., and (2), at the network elements themselves,
with the likely targets being firewalls and routers.
The Brick device offers five unique Denial of Service protection mechanisms. While
each protects against a specific class of attack, the protections are general-purpose and
can be tailored to both existing attacks as well as newly-emerging attacks not yet seen.
The five explicit methods of protection are:
• Intelligent Cache Management (ICM)
• SYN Flood Protection
• TCP State Verification and Strengthening
• Robust Fragment Reassembly
• Application Protocol Anomaly Checks
Additionally, the Quality-of-Service features described above can be used to provide
limits on connections, packets, and bits per second, an effective tool for use against
flooding DoS in general.
Intelligent cache management (ICM)
ICM is used to ensure that the Brick device cache cannot be exhausted in a brute-force
session-flood attack. Once enabled and triggered, the ICM feature proactively scans the
Brick cache memory to target and purge cache entries that have been configured as
lower priority, to ensure that highest-priority sessions have room in the cache. Without
an ICM-like feature, any stateful device such as a firewall is subject to a trivial
resource-consumption attack, easily launchable via a single 56k modem, resulting in a
potential denial-of-service on the entire protected network. ICM is enabled and
configured for the entire Brick device, since it is designed to protect the Brick itself
from attack. This feature is patented by Acatel-Lucent.
SYN flood protection
SYN Flood protection is a specific protection from TCP SYN attacks on servers.
Sending a flood of invalid SYN packets to a server may causes it to cease accepting
new inbound TCP sessions, an effective Denial of Service.
The Brick device allows SYN Flood protection to be configured and customized on
every Firewall Policy Rule. Configurable parameters are a half-open limit, to specify
the number of half-open connections to each destination server required to activate the
feature, as well as a half-open timer, to specify the number of seconds each session is
allowed to be half-open. Once the limit threshold is exceeded, each session that
...................................................................................................................................................................................................................................
260-100-022R9.4
Issue 1, June 2009
™
Security Appliance
1-21