Protection against various DoS attacks has increased through newer
versions of PIX Security Appliance operating systems. Beginning in version 5.2,
TCP Intercept provided for proxy resets of sessions without any knowledge or
interference from the destination station. Version 6.2 introduced SYN cookies,
which is another proxy verification tool that the PIX operating system uses to
validate a new session.
SYN flood attacks, also known as TCP flood or
half-open connections attacks, are common DoS attacks perpetrated against IP
servers
. The attacker
spoofs a nonexistent source IP address and floods the target with SYN packets
pretending to come from the spoofed host. SYN packets to a host are the first
step in the three-way handshake of a TCP-type connection. Therefore, the target
responds as expected with SYN-ACK packets destined to the spoofed host or
hosts. Because these SYN-ACK packets are sent to hosts that do not exist, the
target sits and waits for the corresponding ACK packets that never show up.
This causes the target to overflow its port buffer with half-open, or
embryonic, connections and stop responding to legitimate requests.
In PIX
Security Appliance Software Version 5.2, the SYN Flood Guard feature of the
static command offers an improved mechanism for protecting
systems reachable via a static ACL from TCP SYN attacks. Previously, if an
embryonic connection limit was configured in a static
command statement, the PIX simply dropped new connection attempts once the
embryonic threshold was reached. This could allow even a modest attack to stop
the web traffic of an organization. For static command
statements without an embryonic connection limit, the PIX passes all traffic.
If the target of an attack has no TCP SYN attack protection or insufficient
protection, like most operating systems, the embryonic connection table
overloads and all traffic stops.
TCP Intercept
With the TCP
Intercept feature available in versions 5.2 and higher, once the optional
embryonic connection limit is reached, and until the embryonic connection count
falls below this threshold, every SYN bound for the affected server is
intercepted
. For
each SYN, the PIX Security Appliance responds on behalf of the server with an
empty SYN/ACK segment. The PIX retains pertinent state information, drops the
packet, and waits for the acknowledgement from the client. If the ACK is
received, a copy of the client SYN segment is sent to the server, and the TCP
three-way handshake is performed between the PIX and the server. Only if this
three-way handshake completes will the connection be allowed to resume as
normal.
The TCP Intercept feature requires no special configuration. The
embryonic connection limits on both the static and
nat commands include the new behavior.
SYN
Cookies
In PIX Security Appliance Software Version 6.2, SYN cookies
were introduced. The SYN cookies feature represents a less CPU-intensive method
of verifying incoming TCP sessions for validity. SYN cookies are an
implementation of TCP in which servers respond to a TCP SYN request with a
cookie. In the original TCP implementation, when a server received a SYN
packet, it responded with a SYN-ACK, and entered the half-open state to wait
for the ACK that would complete the handshake. Too many half-open connections
can result in full buffers.
In the SYN cookies implementation of TCP,
when the server receives a SYN packet, it responds with a SYN-ACK packet where
the ACK sequence number is calculated from the source address, source port,
source sequence number, destination address, destination port, and a secret
seed. Then the server releases all state. If an ACK returns from the client,
the server can recalculate it to determine if it is a response to a previous
SYN-ACK. If so, the server can directly enter the TCP_ESTABLISHED state and
open the connection. In this way, the server avoids managing a batch of
potentially useless half-open connections
.
The PIX
Security Appliance, rather than the protected server, can respond using SYN
cookies. This feature replaces TCP Intercept. It is more scalable in terms of
performance.