Configuring Interface Normalization Parameters
Configuring SYN-Cookie Denial-of-Service Protection
Overview of SYN Cookie DoS Protection
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
4-36
Chapter 4
To reenable ICMP security checks, enter:
host1/C1(config-if)# icmp-guard
This section describes the SYN cookie feature that the ACE uses to protect itself
and devices in the data center from Denial of Service (DoS) attacks. It covers the
following topics:
Overview of SYN Cookie DoS Protection
•
Configuration and Operational Considerations
•
Configuring SYN Cookie DoS Protection on an Interface
•
Occasionally, a TCP three-way handshake (SYN, SYN-ACK, ACK) may not
complete for some reason. These incomplete or half-open connections are known
as embryonic connections. Such occurrences are normal if the frequency is low.
However, a large number of embryonic connections could indicate a DoS attack
(SYN flood attack) by a hacker.
A SYN flood attack is characterized by a large number of SYNs sent to a server
or other host from one or more hosts with source IP addresses that are invalid and
unreachable. Such an attack causes half-open connections on the target host that
must time out before the host can service other connection requests. When
multiple hosts in different networks are used to attack a server or other host, the
attack is known as a Distributed Denial of Service (DDoS). The goal of the
attacker is to overwhelm the target host, consume its resources, and cause it to
deny service to legitimate connection requests.
The ACE allows you to protect it and the servers and other hosts in the data center
from SYN flood attacks by configuring SYN-cookie-based DoS protection for
TCP connections. You configure an embryonic connection threshold, beyond
which the ACE applies SYN cookie protection.
When the configured embryonic connection threshold is reached, the ACE
intercepts the next SYN packet from a client. The ACE responds to the SYN with
a SYN-ACK using a sequence number that is the actual SYN cookie value. The
SYN cookie consists of the following:
A 32-bit timer that increases every 64 seconds.
•
Configuring TCP/IP Normalization and IP Reassembly Parameters
OL-16202-01