Protecting Against Tcp Syn Attacks - Dell PowerConnect B-RX Configuration Manual
Bigiron rx series supporting multi-service ironware v02.7.03
Hide thumbs
Also See for PowerConnect B-RX:
- Configuration manual (1458 pages) ,
- Getting started manual (32 pages) ,
- Installation manual (240 pages)
Table of Contents
Advertisement
•
•
When a port is locked up by dos-attack prevention, two types of syslog messages will be generated.
The first type of messages will be generated at the time the port is shut down for the matched
traffic flow to indicate the port shutdown activity and the period of shutdown. The following is a
sample output.
Jun 23 00:40:20:N:Incoming traffic in interface 3/5 exceedes 1500 burst packets,
stopping for 30 seconds!!
The second type of messages will log the headers of the packets that are dropping during the
lockup period. Note that this kind of messages are rate-limited to avoid overloading the syslog
buffer. By default the same kind of packets will only be logged once every five seconds. The rate of
the messages can be changed by the ip access-list logging-age command, which also controls the
logging timer for ACL. The following is a sample output.
Jun 23 00:37:58:I:list 120 denied icmp 55.55.55.1()(Ethernet 3/5 0000.0000.0011)
-> 14.14.14.1(), 1 event(s)
Note that:
•
•
Protecting against TCP SYN attacks
TCP SYN attacks exploit the process of how TCP connections are established in order to disrupt
normal traffic flow. When a TCP connection starts, the connecting host first sends a TCP SYN
packet to the destination host. The destination host responds with a SYN ACK packet, and the
connecting host sends back an ACK packet. This process, known as a "TCP three-way handshake",
establishes the TCP connection.
While waiting for the connecting host to send an ACK packet, the destination host keeps track of
the as-yet incomplete TCP connection in a connection queue. When the ACK packet is received,
information about the connection is removed from the connection queue. Usually there is not
much time between the destination host sending a SYN ACK packet and the source host sending
an ACK packet, so the connection queue clears quickly.
In a TCP SYN attack, an attacker floods a host with TCP SYN packets that have random source IP
addresses. For each of these TCP SYN packets, the destination host responds with a SYN ACK
packet and adds information to the connection queue. However, since the source host does not
exist, no ACK packet is sent back to the destination host, and an entry remains in the connection
queue until it ages out (after around a minute). If the attacker sends enough TCP SYN packets, the
connection queue can fill up, and service can be denied to legitimate TCP connections.
To protect against TCP SYN attacks, you can configure the device to drop TCP SYN packets when
excessive numbers are encountered. You can set threshold values for TCP SYN packets that are
targeted at the router itself or passing through an interface from interface 3/11, and drop them
when the thresholds are exceeded.
For example, to set threshold values for TCP SYN packets, enter the following commands.
BigIron RX Series Configuration Guide
53-1001986-01
If the total traffic volume (in bits per second) of packets that match the condition specified in
the ACL exceeds the burst-normal value, the excess packets are dropped.
If the number of packets that match the condition specified in the ACL exceeds the burst-max
value, all packets that match the condition specified in the ACL are dropped for the number of
seconds specified by the lockup value. When the lockup period expires, the packet counter is
reset, and measurement is restarted.
This feature is supported on Ethernet(physical) interfaces only.
Only the permit clauses (filters) are used in this feature. Deny clauses are ignored.
Protecting against TCP SYN attacks
34
979
Advertisement
Chapters
Table of Contents
