Brocade Communications Systems 6650 TCP SYN attacks

Brocade ICX 6650 Security Configuration Guide 269

53-1002601-01

TCP SYN attacks

Syntax: ip icmp burst-normal value burst-max value lockup seconds

The burst-normal value parameter can be from 1 through 100,000 packets per second.

The burst-max value parameter can be from 1 through 100,000 packets per second.

The lockup value parameter can be from 1 through 10,000 seconds.

This command is supported on Ethernet and Layer 3 interfaces.

The number of incoming ICMP packets per second is measured and compared to the threshold

values as follows:

•If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are

dropped.

•If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for

the number of seconds specified by the lockup value. When the lockup period expires, the

packet counter is reset and measurement is restarted.

In the example, if the number of ICMP packets received per second exceeds 5,000, the excess

packets are dropped. If the number of ICMP packets received per second exceeds 10,000, the

device drops all ICMP packets for the next 300 seconds (5 minutes).

TCP SYN attacks

TCP SYN attacks exploit the process of how TCP connections are established to disrupt normal

traffic flow. When a TCP connection starts, the connecting host first sends a TCP SYN packet to the

destination host. The destination host responds with a SYN ACK packet, and the connecting host

sends back an ACK packet. This process, known as a “TCP three-way handshake,” establishes the

TCP connect ion.

While waiting for the connecting host to send an ACK packet, the destination host keeps track of

the as-yet incomplete TCP connection in a connection queue. When the ACK packet is received,

information about the connection is removed from the connection queue. Usually there is not much

time between the destination host sending a SYN ACK packet and the source host sending an ACK

packet, so the connection queue clears quickly.

In a TCP SYN attack, an attacker floods a host with TCP SYN packets that have random source IP

addresses. For each of these TCP SYN packets, the destination host responds with a SYN ACK

packet and adds information to the connection queue. However, because the source host does not

exist, no ACK packet is sent back to the destination host, and an entry remains in the connection

queue until it ages out (after approximately a minute). If the attacker sends enough TCP SYN

packets, the connection queue can fill up, and service can be denied to legitimate TCP

connections.

To protect against TCP SYN attacks, you can configure the Brocade device to drop TCP SYN packets

when excessive numbers are encountered. You can set threshold values for TCP SYN packets that

are targeted at the router itself or passing through an interface, and drop them when the

thresholds are exceeded.

For example, to set threshold values for TCP SYN packets targeted at the router, enter the following

command in global CONFIG mode.

Brocade(config)# ip tcp burst-normal 10 burst-max 100 lockup 300

To set threshold values for TCP SYN packets received on interface 1/1/3, enter the following

commands.