Saturday, August 11, 2012

3) TCP SYN Flood, the Established Bit, and TCP Intercept
  • A TCP SYN flood is an attack directed at servers
    • By initiating the large no.of TCP connections
    • but not the completing the connections.
  • The attacker initiates many TCP connections, each with only the TCP SYN flag set.
    • the server sends reply with tcy syn & ACK flag set
    • but attacker simply does not reply( with the 3rd message in 3-way TCP connection setup flow
    • Then there is servers consumes memory & resources while waiting on its timeouts.
    • This can cause the unbalance the load of  actual working connections.
  • solution:
    • Statefull firewalls can prevent TCP SYN attacks.
    • Bothe the Cisco ASA Firewall & Cisco IOS Firewall features set can be used to do this.
    • The impact of TCP SYN attacks can be reduced or eliminated by using a few other tools in cisco ios.
      • To prevent SYN attacks is to simply filter packets whose TCP header shows only the SYN flag set.
        • In other words, filter all packets that are the first packet in a new TCP connections.
        • In many cases router should not allow TCP connections to be established by a client on one side to a server on the other.
        • In this cases, filtering the initial TCP segment prevents the SYN attack.
    • Cisco IOS ACLs cannot directly match the TCP SYN flag. 
      • However, an ACE can use the established keyword, which matches TCP segment except the very 1st TCP segment in a new connection.
    • The ACL works well when host outside of a network are not allowed to make TCP connections into the network.
    • There is situation when some inbound TCP connections allowed,
      • at that time ACL can not be used
      • TCP intercept  is used
        • It provides an alternative that allows TCP connections into the network, but monitors those TCP connections for TCP SYN attacks.
    • TCP intercepts operates in one of 2 different modes
      • In Watch Mode,
        • It keeps state of information about TCP connections that match a defined ACL. 
        • If a TCP connection does not complete the 3-way, with in a particular time period, TCP intercept sends a TCP reset to the server, cleaning up the connection.
        • Also counts no.of new connections attempted over time, 
        • if a large number of new connections occurs in 1 second (default is 1100 connections per sec), the router temporarily filters new TCP requests to prevent a perceived SYN attack.
      • In Intercept Mode,
        • The router replies to TCP connections requests instead of forwarding them to the actual server.
        • Then, if 3-way hand shake completes, the router creates a TCP connection between itself and the server.

at No comments:
Subscribe to: Posts (Atom)