998 BigIron RX Series Configuration Guide53-1002253-01Protecting against TCP SYN attacks34BigIron RX(config)# access-list 101 permit tcp any any match-all +synBigIron RX(config)# int e 3/11BigIron RX(config-if-e100-3/11)# dos-attack-prevent 101 burst-normal 5000000burst-max 1000 lockup 300TCP security enhancementTCP security enhancement improves upon the handling of TCP inbound segments. Theenhancement eliminates or minimizes the possibility of a TCP reset attack, in which a perpetratorattempts to prematurely terminate an active TCP session, and a data injection attack, wherein anattacker injects or manipulates data in a TCP connection.In both cases, the attack is blind, meaning the perpetrator does not have visibility into the contentof the data stream between two devices, but blindly injects traffic. Also, the attacker does not seethe direct effect, the continuing communications between the devices and the impact of theinjected packet, but may see the indirect impact of a terminated or corrupted session.The TCP security enhancement prevents and protects against the following three types of attacks:• Blind TCP reset attack using the reset (RST) bit.• Blind TCP reset attack using the synchronization (SYN) bit• Blind TCP packet injection attackThe TCP security enhancement is automatically enabled. If necessary, you can disable this feature.Refer to “Disabling the TCP security enhancement” on page 999.Protecting against a blind TCP reset attack using the RST bitIn a blind TCP reset attack using the RST bit, a perpetrator attempts to guess the RST segments inorder to prematurely terminate an active TCP session.To prevent a user from using the RST bit to reset a TCP connection, the RST bit is subject to thefollowing rules when receiving TCP segments:• If the RST bit is set and the sequence number is outside the expected window, the devicesilently drops the segment.• If the RST bit is exactly the next expected sequence number, the device resets the connection.• If the RST bit is set and the sequence number does not exactly match the next expectedsequence value, but is within the acceptable window, the device sends an acknowledgement.This TCP security enhancement is enabled by default. To disable it, refer to “Disabling the TCPsecurity enhancement” on page 999.Protecting against a blind TCP reset attack using the SYN bitIn a blind TCP reset attack, a perpetrator attempts to guess the SYN bits to prematurely terminatean active TCP session.To prevent a user from using the SYN bit to tear down a TCP connection, the SYN bit is subject tothe following rules when receiving TCP segments:• If the SYN bit is set and the sequence number is outside the expected window, the devicesends an acknowledgement (ACK) back to the peer.