Support User Manuals

Dell FCX624-I Laptop User Manual

Open as PDF

of 1494

PowerConnect B-Series FCX Configuration Guide 1343

53-1002266-01

Protecting against TCP SYN attacks

38

• Blind TCP reset attack using the synchronization (SYN) bit

• Blind TCP packet injection attack

The TCP security enhancement is automatically enabled.

Protecting against a blind TCP reset attack using the RST bit

In a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST bits to

prematurely terminate an active TCP session.

To prevent a user from using the RST bit to reset a TCP connection, the RST bit is subject to the

following rules when receiving TCP segments:

• If the RST bit is set and the sequence number is outside the expected window, the Dell

PowerConnect device silently drops the segment.

• If the RST bit is exactly the next expected sequence number, the Dell PowerConnect device

resets the connection.

• If the RST bit is set and the sequence number does not exactly match the next expected

sequence value, but is within the acceptable window, the Dell PowerConnect device sends an

acknowledgement.

Protecting against a blind TCP reset attack using the SYN bit

In a blind TCP reset attack using the SYN bit, a perpetrator attempts to guess the SYN bits to

prematurely terminate an active TCP session.

To prevent a user from using the SYN bit to tear down a TCP connection, in current software

releases, the SYN bit is subject to the following rules when receiving TCP segments:

• If the SYN bit is set and the sequence number is outside the expected window, the Dell

PowerConnect device sends an acknowledgement (ACK) back to the peer.

• If the SYN bit is set and the sequence number is an exact match to the next expected

sequence, the Dell PowerConnect device sends an ACK segment to the peer. Before sending

the ACK segment, the software subtracts one from the value being acknowledged.

• If the SYN bit is set and the sequence number is acceptable, the Dell PowerConnect device

sends an acknowledgement (ACK) segment to the peer.

Protecting against a blind injection attack

In a blind TCP injection attack, a perpetrator tries to inject or manipulate data in a TCP connection.

To reduce the chances of a blind injection attack, an additional check on all incoming TCP

segments is performed.

Displaying statistics about packets dropped

because of DoS attacks

To display information about ICMP and TCP SYN packets dropped because burst thresholds were

exceeded, enter the following command.

previous next