TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

341

342

343

344

345

346

347

348

349

350

4-95

Firewall

Attack Checking

The optimal sequence range is the product of these two elements. A correctly

sized range allows data to be sent continuously (without the sender stopping

to wait for acknowledgment) while enabling fast recovery times for lost data.

After you select the Sequence Number Out of Range check box, configure the

following:

■ In the Range field, type a number between 1 and 65535. The larger the TCP

window size, the larger the range of sequence numbers that will be

accepted. As a result, large TCP window size is more susceptible to

sequence number prediction and session hijack.

■ In the RST Range field, type a number between 1 and 65535. This value

controls how far outside of the TCP window the packets are allowed to be.

Select or clear the Drop packets outside the range check box as desired.

Pre-Connection ACK

In the ACK scan, the attacker sends an ACK packet to a port without having

first sent a SYN packet. This is an attempt to get packets through a packet-

filtering firewall (which blocks SYN packets only). If the target device sends

an RST return message, that indicates an unfiltered port, whereas a Destination

Unreachable message (or no response) indicates that the port is filtered. An

ACK scan is generally used in conjunction with a SYN attack to determine

which ports are open, which applications they support, and if they are filtered.

This scan does not have any immediate repercussions on network perfor-

mance; it only allows the attacker to get information about your network.

By default, the firewall on the TMS zl Module blocks ACK packets that are not

preceded by a valid SYN and SYN+ACK. However, there are some cases in which

you would want to require the module to send an RST message in response to

an ACK packet.

Some servers send an ACK packet rather than a SYN+ACK packet when they

receive a SYN packet. For example, if a client reboots in the middle of an active

connection with the server, the server will keep the active connection open

for the connection’s five-tuple (Layer 4 protocol, client IP address, client port,

server IP address, server port). When the client reboots, it sends a SYN packet

with the same source port as before, and the server sends an ACK packet

instead of SYN+ACK.

If the Pre-Connection ACK check is enabled on the TMS zl Module, the firewall

responds to this ACK packet by sending an RST packet. If the check is not

enabled, the packet is dropped. In both cases, a log entry is generated.