Manualshelf

Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x
1041104210431044104510461047104810491050
1008 PowerConnect B-Series TI24X Configuration Guide
53-1002269-02
Protecting against TCP SYN attacks
31
Syntax: ip tcp burst-normal <value> burst-max <value> lockup <seconds>
NOTE
This command is available at the global CONFIG level on both Chassis devices and Stackable
devices. On Chassis devices, this command is available at the Interface level as well. This command
is supported on Ethernet and Layer 3 ATM interfaces.
The PowerConnect B-Series TI24X device supports the following burst-normal, burst-max, and
lockup values.
The burst-normal value ranges from 30 through 16000000.
The burst-max value ranges from 30 through 16000000.
The lockup value ranges from 1 through 10000.
The number of incoming TCP SYN packets per second are measured and compared to the
threshold values as follows:
If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets
are dropped.
If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are
dropped for the number of seconds specified by the lockup value. When the lockup period
expires, the packet counter is reset and measurement is restarted.
In the example above, if the number of TCP SYN packets received per second exceeds30, the
excess packets are dropped. If the number of TCP SYN packets received per second exceeds 100,
the device drops all TCP SYN packets for the next 300 seconds (five minutes).
Configuration notes
Consider the following statements when DoS attack protection is implemented at port level or
Virtual Interface (VE) level.
The ACL based ingress rate-limiting for TCP flow on a port is not accurate if TCP Dos attack
protection is enabled on the same port. Non-TCP flows are not affected.
TCP DoS attack protection considers packet marked as drop by port-based ingress rate
limiting. In this case, even if the port-based ingress rate-limiting reduces the packet per byte
rate, DoS attack is still detected by using actual ingress packet per byte rate on a port.
TCP security enhancement
TCP security enhancement improves upon the handling of TCP inbound segments. This
enhancement eliminates or minimizes the possibility of a TCP reset attack, in which a perpetrator
attempts to prematurely terminate an active TCP session, and a data injection attack, wherein an
attacker injects or manipulates data in a TCP connection.
In both cases, the attack is blind, meaning the perpetrator does not have visibility into the content
of the data stream between two devices, but blindly injects traffic. Also, the attacker does not see
the direct effect, the continuing communications between the devices and the impact of the
injected packet, but may see the indirect impact of a terminated or corrupted session.
The TCP security enhancement prevents and protects against the following three types of attacks:
Blind TCP reset attack using the reset (RST) bit.
Blind TCP reset attack using the synchronization (SYN) bit