Configuring Syn Cookies - Avaya G250 Administration Manual
Media gateways
Hide thumbs
Also See for G250:
- Reference (812 pages) ,
- Administration (720 pages) ,
- Maintenance manual (310 pages)
Table of Contents
Advertisement
Accessing the Avaya G250/G350 Media Gateway
Because the target machine does not receive a response from the attacking machine, it
attempts to resend the SYN-ACK, typically five times, at 3-, 6-, 12-, 24-, and 48-second
intervals, before de-allocating the resources, 96 seconds after attempting the last resend.
Altogether, the target machine typically allocates resources for over three minutes to respond to
a single SYN attack.
When an attacker uses this technique repeatedly, the target machine eventually runs out of
memory resources since it holds numerous half-open connections. It is unable to handle any
more connections, thereby denying service to legitimate users.
Moreover, flooding the victim with TCP SYN at a high rate can cause the internal queues to fill
up, also causing a denial of service.
SYN cookies
SYN cookies protect against SYN attacks by employing the following strategies:
Not maintaining any state for half-open inbound TCP sessions, thus preventing the SYN
●
attack from depleting memory resources.
SYN cookies are able to maintain no state for half-open connections by responding to SYN
requests with a SYN-ACK that contains a specially crafted initial sequence number (ISN),
called a cookie. The value of the cookie is not a pseudo-random number generated by the
system, but the result of a hash function. The hash result is generated from the source IP,
source port, destination IP, destination port, and some secret values. The cookie can be
verified when receiving a valid 3rd ACK that establishes the connection. The verification
ensures that the connection is a legitimate connection and that the source IP address was
not spoofed.
Employing the SYN cookies method at a lower point in the network stack then regular TCP
●
handling, closer to the start point of packet handling. This reduces the chances that a SYN
attack will fill up the internal queues.
Performing SYN attack fingerprinting and alerting an administrator about a SYN attack as
●
it occurs. This is implemented by keeping track of the rate at which half-open TCP
connections are created, and sending an alert when the rate exceeds a certain threshold.
In addition, when the SYN cookies mechanism is active, a hostile port scan might be misled into
concluding that all TCP ports are open.
Configuring SYN cookies
1. Enter tcp syn-cookies.
2. Copy the running configuration to the start-up configuration using the copy
running-config startup-config command.
3. Reset the device using the reset command.
SYN cookies are now enabled on the device.
80 Administration for the Avaya G250 and Avaya G350 Media Gateways
Advertisement
Table of Contents
