Accessing the Avaya G250/G350 Media Gateway
Because the target machine does not receive a response from the attacking machine, it
attempts to resend the SYN-ACK, typically five times, at 3-, 6-, 12-, 24-, and 48-second
intervals, before de-allocating the resources, 96 seconds after attempting the last resend.
Altogether, the target machine typically allocates resources for over three minutes to respond to
a single SYN attack.
When an attacker uses this technique repeatedly, the target machine eventually runs out of
memory resources since it holds numerous half-open connections. It is unable to handle any
more connections, thereby denying service to legitimate users.
Moreover, flooding the victim with TCP SYN at a high rate can cause the internal queues to fill
up, also causing a denial of service.
SYN cookies
SYN cookies protect against SYN attacks by employing the following strategies:
Not maintaining any state for half-open inbound TCP sessions, thus preventing the SYN
●
attack from depleting memory resources.
SYN cookies are able to maintain no state for half-open connections by responding to SYN
requests with a SYN-ACK that contains a specially crafted initial sequence number (ISN),
called a cookie. The value of the cookie is not a pseudo-random number generated by the
system, but the result of a hash function. The hash result is generated from the source IP,
source port, destination IP, destination port, and some secret values. The cookie can be
verified when receiving a valid 3rd ACK that establishes the connection. The verification
ensures that the connection is a legitimate connection and that the source IP address was
not spoofed.
Employing the SYN cookies method at a lower point in the network stack then regular TCP
●
handling, closer to the start point of packet handling. This reduces the chances that a SYN
attack will fill up the internal queues.
Performing SYN attack fingerprinting and alerting an administrator about a SYN attack as
●
it occurs. This is implemented by keeping track of the rate at which half-open TCP
connections are created, and sending an alert when the rate exceeds a certain threshold.
In addition, when the SYN cookies mechanism is active, a hostile port scan might be misled into
concluding that all TCP ports are open.
Configuring SYN cookies
1. Enter tcp syn-cookies.
2. Copy the running configuration to the start-up configuration using the copy
running-config startup-config command.
3. Reset the device using the reset command.
SYN cookies are now enabled on the device.
80 Administration for the Avaya G250 and Avaya G350 Media Gateways