Configuration Guide User guide
FastIron Configuration Guide 1925
53-1002494-02
TCP SYN attacks
TCP security enhancement
TCP security enhancement improves upon the handling of TCP inbound segments. This
enhancement eliminates or minimizes the possibility of a TCP reset attack, in which a perpetrator
attempts to prematurely terminate an active TCP session, and a data injection attack, wherein an
attacker injects or manipulates data in a TCP connection.
In both cases, the attack is blind, meaning the perpetrator does not have visibility into the content
of the data stream between two devices, but blindly injects traffic. Also, the attacker does not see
the direct effect, the continuing communications between the devices and the impact of the
injected packet, but may see the indirect impact of a terminated or corrupted session.
The TCP security enhancement prevents and protects against the following three types of attacks:
• Blind TCP reset attack using the reset (RST) bit
• Blind TCP reset attack using the synchronization (SYN) bit
• Blind TCP packet injection attack
The TCP security enhancement is automatically enabled.
Protecting against a blind TCP reset attack using the RST bit
In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST bits to
prematurely terminate an active TCP session.
To prevent a user from using the RST bit to reset a TCP connection, the RST bit is subject to the
following rules when receiving TCP segments:
• If the RST bit is set and the sequence number is outside the expected window, the Brocade
device silently drops the segment.
• If the RST bit is exactly the next expected sequence number, the Brocade device resets the
connection.
• If the RST bit is set and the sequence number does not exactly match the next expected
sequence value, but is within the acceptable window, the Brocade device sends an
acknowledgement.
Protecting against a blind TCP reset attack using the SYN bit
In a blind TCP reset attack using the SYN bit, a perpetrator attempts to guess the SYN bits to
prematurely terminate an active TCP session.
To prevent a user from using the SYN bit to tear down a TCP connection, in current software
releases, the SYN bit is subject to the following rules when receiving TCP segments:
• If the SYN bit is set and the sequence number is outside the expected window, the Brocade
device sends an acknowledgement (ACK) back to the peer.
• If the SYN bit is set and the sequence number is an exact match to the next expected
sequence, the Brocade device sends an ACK segment to the peer. Before sending the ACK
segment, the software subtracts one from the value being acknowledged.
• If the SYN bit is set and the sequence number is acceptable, the Brocade device sends an
acknowledgement (ACK) segment to the peer.