In this final post in the series, we will examine a simple way to rate limit SYN packets in order to foil attacks involving the SYN attack technique.
Policing SYN Packets
In order to effectively rate limit the SYN packets in the correct manner, you should monitor your network baseline in order to determine the appropriate SYN packet rate that represents your acceptable packet flows. The policing can then be set effectively to guard against attack conditions.
Examine the following access list that is configured on our network edge device:
access-list 100 deny tcp any any established access-list 100 permit tcp any any
Notice this access list will only identify that traffic for TCP connections that are not established. Established connections are denied by the first entry. This list can then be used in our policing configuration:
class-map CM_TCPSYN match access-group 100 ! policy-map PM_POLICE class CM_TCPSYN police 24000 ! interface serial 0/0 service-policy output PM_POLICE
Another effective technique in this regard is to call upon the TCP Intercept feature. The TCP Intercept feature helps prevent SYN-flood type attacks by intercepting and validating TCP connection requests.
This tool can utilize two modes. In intercept mode, the TCP Intercept feature intercepts TCP SYN packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server. If the conenction attempt is legitimate, the TCP Intercept device can then establish the conenction betweent he client and the actual server in the protected network.
The second mode is watch mode. In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt.
The TCP Intercept feature is configured with the following command:
ip tcp intercept list access-list-number
For more information on TCP Intercept, visit the link below.
Anthony Sequeira CCIE, CCSI