Configure Attack Guards on the PIX Security Appliance
SYN Flood Guard

Protection against various DoS attacks has increased through newer versions of PIX Security Appliance operating systems. Beginning in version 5.2, TCP Intercept provided for proxy resets of sessions without any knowledge or interference from the destination station. Version 6.2 introduced SYN cookies, which is another proxy verification tool that the PIX operating system uses to validate a new session.

SYN flood attacks, also known as TCP flood or half-open connections attacks, are common DoS attacks perpetrated against IP servers . The attacker spoofs a nonexistent source IP address and floods the target with SYN packets pretending to come from the spoofed host. SYN packets to a host are the first step in the three-way handshake of a TCP-type connection. Therefore, the target responds as expected with SYN-ACK packets destined to the spoofed host or hosts. Because these SYN-ACK packets are sent to hosts that do not exist, the target sits and waits for the corresponding ACK packets that never show up. This causes the target to overflow its port buffer with half-open, or embryonic, connections and stop responding to legitimate requests.

In PIX Security Appliance Software Version 5.2, the SYN Flood Guard feature of the static command offers an improved mechanism for protecting systems reachable via a static ACL from TCP SYN attacks. Previously, if an embryonic connection limit was configured in a static command statement, the PIX simply dropped new connection attempts once the embryonic threshold was reached. This could allow even a modest attack to stop the web traffic of an organization. For static command statements without an embryonic connection limit, the PIX passes all traffic. If the target of an attack has no TCP SYN attack protection or insufficient protection, like most operating systems, the embryonic connection table overloads and all traffic stops.

TCP Intercept
With the TCP Intercept feature available in versions 5.2 and higher, once the optional embryonic connection limit is reached, and until the embryonic connection count falls below this threshold, every SYN bound for the affected server is intercepted . For each SYN, the PIX Security Appliance responds on behalf of the server with an empty SYN/ACK segment. The PIX retains pertinent state information, drops the packet, and waits for the acknowledgement from the client. If the ACK is received, a copy of the client SYN segment is sent to the server, and the TCP three-way handshake is performed between the PIX and the server. Only if this three-way handshake completes will the connection be allowed to resume as normal.

The TCP Intercept feature requires no special configuration. The embryonic connection limits on both the static and nat commands include the new behavior.

SYN Cookies
In PIX Security Appliance Software Version 6.2, SYN cookies were introduced. The SYN cookies feature represents a less CPU-intensive method of verifying incoming TCP sessions for validity. SYN cookies are an implementation of TCP in which servers respond to a TCP SYN request with a cookie. In the original TCP implementation, when a server received a SYN packet, it responded with a SYN-ACK, and entered the half-open state to wait for the ACK that would complete the handshake. Too many half-open connections can result in full buffers.

In the SYN cookies implementation of TCP, when the server receives a SYN packet, it responds with a SYN-ACK packet where the ACK sequence number is calculated from the source address, source port, source sequence number, destination address, destination port, and a secret seed. Then the server releases all state. If an ACK returns from the client, the server can recalculate it to determine if it is a response to a previous SYN-ACK. If so, the server can directly enter the TCP_ESTABLISHED state and open the connection. In this way, the server avoids managing a batch of potentially useless half-open connections .

The PIX Security Appliance, rather than the protected server, can respond using SYN cookies. This feature replaces TCP Intercept. It is more scalable in terms of performance.