To further protect the server, you can assign limits to the total amount of sessions and the maximum number of sessions coming from one source. The firewall does not have to use a lot of resources because a SYN request matching a rule with inbound policy is neither logged nor appears in real-time status or in the access cache until it is categorized as a valid TCP connection. The server does not even notice that a TCP SYN flooding attack has been launched and can continue to use its resources for valid requests, while the firewall deals with the TCP SYN flood attack. The same TCP SYN flooding attack on a server using the inbound accept policy: Incoming TCP Connection with Inbound Accept Policy Enabled If the source IP address is fake, the ACK packet never arrives and the firewall does not initiate the TCP connection to the protected server. This means the firewall first returns a SYN-ACK to the clients source IP address, thus verifying its real wish for a connection. Only if the connection is completed by an ACK packet, does the firewall finish building up the TCP connection to the protected server. The solution to the problem is to set the Accept Policy of the rule to Inbound. In this case, the server eventually exhausts its resources by creating TCP connections for the fake requests. The outbound policy tells the firewall to complete the connection with the server first (verifying it is up) and then complete the connection to the client. If the unfriendly host can change its IP address quickly enough, it can do this very often without a chance for the firewall to differentiate between the attack and ordinary requests.Ī simple SYN flooding attack with faked IP addresses on a firewall with the outbound accept policy: Step 4 – After a certain number of unanswered SYN-ACKs, the firewall recognizes the unfriendly activity and no longer accepts SYNs from the (faked) source IP address.The SYN-ACKs are sent to the fake IP address which does not answer, keeping the connection in a pending state until it times out. Step 3 – The firewall simply lets the SYN packets pass through, using up its own and the protected server’s resources.Step 2 – It then sends as many SYN packets as possible to the protected server.Step 1 – The unfriendly host fakes its IP address and gives itself an address, which is already in use in another network.
If you use this outbound TCP accept policy in a firewall rule forwarding traffic to an internal server, you open yourself up to a simple attack: It is therefore fatal if the firewall sends an ACK to the client if the server cannot be reached because then the browser never gets the chance to try the other IP addresses. The browser tries to connect to the first IP address it receives from the DNS server, and, if it is not successful, it tries the next one and so on. This is important for many applications, such as a browser when it tries to connect to a server with many IP addresses for the same hostname (DNS round robin). The main characteristic of the outbound policy is that the client only receives an ACK when the requested server is really up. This example shows how the outbound and inbound accept policies handle TCP connections and which policy to use: Outgoing TCP Connection with Outbound Accept Policy Enabled TCP SYN Flooding Attacks and Countermeasures These settings are also configured on a per-rule basis. Number of Sessions per Source) to protect against resource exhaustion of the Barracuda CloudGen Firewall. To guard against DoS/DDoS attacks, configure the maximum number of new sessions and the allowed total number of sessions from a single source ( Max. Only after a complete TCP handshake is established, the handshake with the target is processed and traffic will be forwarded to the target address. The firewall rather establishes a complete TCP handshake with the requesting source first, assuring that the requestor is authentic (no IP spoofing) and really intends to establish a TCP session. TCP session requests (SYN packets) are NOT immediately forwarded to the target address even if the session is allowed by the rule set.
In order to establish a TCP connection, the TCP three-way handshake must be completed.
0 kommentar(er)
