Configuration Guide DoS Protection Configuration
DoS Protection Configuration
DoS Protection Configuration
Overview
The DoS protection function can defend against Land attacks and invalid TCP
message attacks.
Land attack
The attacker sends a SYN packet to the destination host with the source
address/port the same as the destination address/port and causes system crash
while the attacked host attempts to establish a TCP link with itself (infinite loop).
Invalid TCP message attack
The header of TCP message contains several flag fields:
1. SYN: Connection flag. TCP SYN message sets this flag to 1 in order to request a
connection.
2. ACK: Acknowledgment flag. In a TCP connection, except for the first message
(TCP SYN), all other messages are set to be the acknowledgement to last message.
3. FIN: Finish flag. When a host receives a TCP message with FIN flag, it will
terminate this TCP connection.
4. RST: Reset flag. When IP protocol stack receives a TCP message with
nonexistent target port, it will reply a message with RST flag.
5. PSH: notifies the protocol stack to push up TCP data to the upper-layer program
as soon as possible.
Invalid TCP message attack consumes host resources and leads to system crash by
setting invalid flag fields. The followings are some frequently found invalid TCP
messages:
1. TCP message with both SYN bit and FIN bit
Under normal conditions, SYN flag (connection request flag) and FIN flag
(connection termination flag) cannot exist in the same TCP message, and RFC has
no related stipulations on how IP protocol stack shall deal with such a deformed
message. Therefore, the protocol stack of different operating systems will handle in
different ways after receiving such a message. By utilizing this feature, the attacker
sends a message with both SYN flag and FIN flag to identify the type of operating
system, and initiate further attacks against the target operating system.
2. TCP message with no flag
Under normal conditions, any TCP message will contain at least one of SYN, FIN,
ACK, RST and PSH flags. The first TCP message (TCP connection request
To Next Page
Loading...
