Manualshelf

Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x
1041104210431044104510461047104810491050
PowerConnect B-Series TI24X Configuration Guide 1009
53-1002269-02
Protecting against TCP SYN attacks
31
Blind TCP packet injection attack
The TCP security enhancement is automatically enabled.
Protecting against a blind TCP reset attack using the RST bit
In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST segments in
order to prematurely terminate an active TCP session.
To prevent a user from using the RST bit to reset a TCP connection, the RST bit is subject to the
following rules when receiving TCP segments:
If the RST bit is set and the sequence number is outside the expected window, the device
silently drops the segment.
If the RST bit is exactly the next expected sequence number, the device resets the connection.
If the RST bit is set and the sequence number does not exactly match the next expected
sequence value, but is within the acceptable window, the device sends an acknowledgement.
Protecting against a blind TCP reset attack using the SYN bit
In a blind TCP reset attack, a perpetrator attempts to guess the SYN bits to prematurely terminate
an active TCP session.
To prevent a user from using the SYN bit to tear down a TCP connection, the SYN bit is subject to
the following rules when receiving TCP segments:
If the SYN bit is set and the sequence number is outside the expected window, the device
sends an acknowledgement (ACK) back to the peer.
If the SYN bit is set and the sequence number is an exact match to the next expected
sequence, the device sends an ACK segment to the peer. Before sending the ACK segment,
the software subtracts one from the value being acknowledged.
If the SYN bit is set and the sequence number is acceptable, the device sends an
acknowledgement (ACK) segment to the peer.
Protecting against a blind injection attack
In a blind TCP injection attack, a perpetrator tries to inject or manipulate data in a TCP connection.
To reduce the chances of a blind injection attack, an additional check on all incoming TCP
segments is performed.
Displaying statistics about packets dropped
because of DoS attacks
To display information about ICMP and TCP SYN packets dropped because burst thresholds were
exceeded,enter the following command.