Checking Reflexive Traffic - HP ProCurve Secure Router 7203 dl Advanced Management And Configuration Manual
Secure router
Hide thumbs
Also See for ProCurve Secure Router 7203 dl:
- Configuration manual (1114 pages) ,
- Reference manual (1455 pages) ,
- Product end-of-life disassembly instructions (2 pages)
Table of Contents
Advertisement
ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network
Configuring Attack Checking
4-16
The WinNuke attack affects Windows NT 3.51 and 4.0, Windows 95, and
Windows 3.11. It does not usually cause permanent damage. However, it can
cause open Windows applications to crash and hosts to lose connectivity; you
should consider enabling this check when your network uses affected
systems.
An attacker sends a SYN-flood to create a DoS attack. A SYN-flood consists
of the TCP packets used to establish legitimate sessions; however, the source
of the flood does not respond to the router's SYN/ACKs. The router uses all
its resources waiting to open the unresolved sessions. Because the router
cannot simply drop all SYN packets, the majority of which are legitimate, it
must protect against the attack in a different way.
The ProCurve Secure Router guards against SYN-floods by monitoring the
establishment of TCP sessions, which can require increased processing
power. The firewall guards against SYN-flood attacks by default. You can
disable the check by entering:
ProCurve(config)# no ip firewall check syn-flood
By default, RST sequence checks are also enabled.
When a host receives a TCP packet with its RST bit set, it resets the session
associated with that packet. In a RST reset attack, a hacker sets the RST bit
in a TCP packet that spoofs the IP addresses, port numbers, and sequence
numbers of a legitimate TCP session. The spoofed session resets, causing a
DoS, which can be particularly damaging for protocols such as Border Gate-
way Protocol (BGP) that require constant TCP connections. When the RST
sequence check is enabled, the Secure Router OS firewall only accepts TCP
RST packets that have the correct sequence number, significantly reducing
the chance that an attacker can spoof a packet successfully.
To disable or re-enable the RST sequence check, enter this command from the
global configuration mode context:
Syntax: [no] ip firewall check rst-seq
Checking Reflexive Traffic
Reflexive traffic is traffic that is received on an interface and then forwarded
out the same interface. For example, in a multi-netted environment, an Ether-
net interface has a primary and secondary IP address and routes between the
two subnets. Therefore, some traffic will arrive on and leave by the same
Ethernet interface. (See Figure 4-5.) By default, the Secure Router OS firewall
Advertisement
Chapters
Table of Contents
Troubleshooting
