Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x

1041

PowerConnect B-Series TI24X Configuration Guide 1007

53-1002269-02

Protecting against TCP SYN attacks

• ICMP DoS attack protection considers packet marked as drop by port-based ingress rate

limiting. In this case, even if the port-based ingress rate-limiting reduces the packet per byte

rate, DoS attack is still detected by using actual ingress packet per byte rate on a port.

NOTE

If you configure both DoS attack protection and ACL or MAC filter, the DoS attack statistics for

dropped ICMP or TCP SYN packet increments even if the ACL or MAC filter denies the traffic.

Protecting against TCP SYN attacks

TCP SYN attacks exploit the process of how TCP connections are established in order to disrupt

normal traffic flow. When a TCP connection starts, the connecting host first sends a TCP SYN

packet to the destination host. The destination host responds with a SYN ACK packet, and the

connecting host sends back an ACK packet. This process, known as a “TCP three-way handshake”,

establishes the TCP connection.

While waiting for the connecting host to send an ACK packet, the destination host keeps track of

the as-yet incomplete TCP connection in a connection queue. When the ACK packet is received,

information about the connection is removed from the connection queue. Usually there is not

much time between the destination host sending a SYN ACK packet and the source host sending

an ACK packet, so the connection queue clears quickly.

In a TCP SYN attack, an attacker floods a host with TCP SYN packets that have random source IP

addresses. For each of these TCP SYN packets, the destination host responds with a SYN ACK

packet and adds information to the connection queue. However, since the source host does not

exist, no ACK packet is sent back to the destination host, and an entry remains in the connection

queue until it ages out (after around a minute). If the attacker sends enough TCP SYN packets, the

connection queue can fill up, and service can be denied to legitimate TCP connections.

Protection against TCP-SYN attacks in PowerConnect

devices

The TCP-SYN flood attack protection is implemented in hardware on PowerConnect B-Series TI24X

devices. The protection against TCP SYN flood assume that the TCP SYN packet size is 74 bytes,

which includes L2, IPv4 , and TCP header. If packet size of the attack exceeds the limit, the TCP

attack protection takes effect faster than the configured burst values.

To protect against TCP SYN attacks, you can configure the device to drop TCP SYN packets when

excessive numbers are encountered. You can set threshold values for TCP SYN packets that are

targeted at the router itself or passing through an interface, and drop them when the thresholds

are exceeded.

For example, to set threshold values for TCP SYN packets targeted at the router, enter the following

command in CONFIG mode.

PowerConnect(config)# ip tcp burst-normal 30 burst-max 100 lockup 300

To set threshold values for TCP SYN packets received on interface 11, enter the following

command.

PowerConnect(config)# int e 11

PowerConnect(config-if-e10000-11)# ip tcp burst-normal 30 burst-max 100 lockup

300