Tcp Security Enhancement - Dell PowerConnect B-RX Configuration Manual
Bigiron rx series configuration guide v02.8.00
Hide thumbs
Also See for PowerConnect B-RX:
- Configuration manual (1436 pages) ,
- Getting started manual (32 pages) ,
- Installation manual (240 pages)
Table of Contents
Advertisement
34
Protecting against TCP SYN attacks
BigIron RX(config)# access-list 101 permit tcp any any match-all +syn
BigIron RX(config)# int e 3/11
BigIron RX(config-if-e100-3/11)# dos-attack-prevent 101 burst-normal 5000000
burst-max 1000 lockup 300
TCP security enhancement
TCP security enhancement improves upon the handling of TCP inbound segments. The
enhancement eliminates or minimizes the possibility of a TCP reset attack, in which a perpetrator
attempts to prematurely terminate an active TCP session, and a data injection attack, wherein an
attacker injects or manipulates data in a TCP connection.
In both cases, the attack is blind, meaning the perpetrator does not have visibility into the content
of the data stream between two devices, but blindly injects traffic. Also, the attacker does not see
the direct effect, the continuing communications between the devices and the impact of the
injected packet, but may see the indirect impact of a terminated or corrupted session.
The TCP security enhancement prevents and protects against the following three types of attacks:
•
•
•
The TCP security enhancement is automatically enabled. If necessary, you can disable this feature.
Refer to
Protecting against a blind TCP reset attack using the RST bit
In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST segments in
order to prematurely terminate an active TCP session.
To prevent a user from using the RST bit to reset a TCP connection, the RST bit is subject to the
following rules when receiving TCP segments:
•
•
•
This TCP security enhancement is enabled by default. To disable it, refer to
security enhancement"
Protecting against a blind TCP reset attack using the SYN bit
In a blind TCP reset attack, a perpetrator attempts to guess the SYN bits to prematurely terminate
an active TCP session.
To prevent a user from using the SYN bit to tear down a TCP connection, the SYN bit is subject to
the following rules when receiving TCP segments:
•
998
Blind TCP reset attack using the reset (RST) bit.
Blind TCP reset attack using the synchronization (SYN) bit
Blind TCP packet injection attack
"Disabling the TCP security enhancement"
If the RST bit is set and the sequence number is outside the expected window, the device
silently drops the segment.
If the RST bit is exactly the next expected sequence number, the device resets the connection.
If the RST bit is set and the sequence number does not exactly match the next expected
sequence value, but is within the acceptable window, the device sends an acknowledgement.
on page 999.
If the SYN bit is set and the sequence number is outside the expected window, the device
sends an acknowledgement (ACK) back to the peer.
on page 999.
"Disabling the TCP
BigIron RX Series Configuration Guide
53-1002253-01
Advertisement
Table of Contents
