BigIron RX Series Configuration Guide 97953-1001986-01Protecting against TCP SYN attacks 34• If the total traffic volume (in bits per second) of packets that match the condition specified inthe ACL exceeds the burst-normal value, the excess packets are dropped.• If the number of packets that match the condition specified in the ACL exceeds the burst-maxvalue, all packets that match the condition specified in the ACL are dropped for the number ofseconds specified by the lockup value. When the lockup period expires, the packet counter isreset, and measurement is restarted.When a port is locked up by dos-attack prevention, two types of syslog messages will be generated.The first type of messages will be generated at the time the port is shut down for the matchedtraffic flow to indicate the port shutdown activity and the period of shutdown. The following is asample output.Jun 23 00:40:20:N:Incoming traffic in interface 3/5 exceedes 1500 burst packets,stopping for 30 seconds!!The second type of messages will log the headers of the packets that are dropping during thelockup period. Note that this kind of messages are rate-limited to avoid overloading the syslogbuffer. By default the same kind of packets will only be logged once every five seconds. The rate ofthe messages can be changed by the ip access-list logging-age command, which also controls thelogging timer for ACL. The following is a sample output.Jun 23 00:37:58:I:list 120 denied icmp 55.55.55.1()(Ethernet 3/5 0000.0000.0011)-> 14.14.14.1(), 1 event(s)Note that:• This feature is supported on Ethernet(physical) interfaces only.• Only the permit clauses (filters) are used in this feature. Deny clauses are ignored.Protecting against TCP SYN attacksTCP SYN attacks exploit the process of how TCP connections are established in order to disruptnormal traffic flow. When a TCP connection starts, the connecting host first sends a TCP SYNpacket to the destination host. The destination host responds with a SYN ACK packet, and theconnecting host sends back an ACK packet. This process, known as a “TCP three-way handshake”,establishes the TCP connection.While waiting for the connecting host to send an ACK packet, the destination host keeps track ofthe as-yet incomplete TCP connection in a connection queue. When the ACK packet is received,information about the connection is removed from the connection queue. Usually there is notmuch time between the destination host sending a SYN ACK packet and the source host sendingan ACK packet, so the connection queue clears quickly.In a TCP SYN attack, an attacker floods a host with TCP SYN packets that have random source IPaddresses. For each of these TCP SYN packets, the destination host responds with a SYN ACKpacket and adds information to the connection queue. However, since the source host does notexist, no ACK packet is sent back to the destination host, and an entry remains in the connectionqueue until it ages out (after around a minute). If the attacker sends enough TCP SYN packets, theconnection queue can fill up, and service can be denied to legitimate TCP connections.To protect against TCP SYN attacks, you can configure the device to drop TCP SYN packets whenexcessive numbers are encountered. You can set threshold values for TCP SYN packets that aretargeted at the router itself or passing through an interface from interface 3/11, and drop themwhen the thresholds are exceeded.For example, to set threshold values for TCP SYN packets, enter the following commands.