SYN Floodguard
Another acclaimed DoS advance is SYN flooding, which occurs back an
attacker sends ample numbers of antecedent SYN packets to the host and neither closes
nor confirms these half-open connections.This causes some TCP/IP implementations
to use a abundant accord of assets while cat-and-mouse for affiliation confirmation,
preventing them from accepting any new access afore the excess of
these half-open access is cleared.The easiest way to anticipate this from happening
is to ascendancy the amount at which new access are opened or the
number of access that are half-open (other names for this are SYN Received
or embryonic) at any accustomed time.The closing can be performed by allegorical a limit
on the cardinal of beginning access in the changeless and nat configuration
commands. For example:
PIX1(config)# changeless (dmz, outside) 123.4.5.6 10.1.1.0 netmask
255.255.255.255 100 50
This creates a changeless NAT access for the DMZ server 10.1.1.0 with an external
IP abode of 123.4.5.6.The cardinal 100 agency that alone 100 access to this
server from alfresco can be in an accessible accompaniment at any accustomed time, and the cardinal 50
is the cardinal of half-open or beginning access to this server that can exist
at any accustomed time.The nat command is similar:Two numbers at the end specify
www.syngress.com
Advanced PIX Configurations • Chapter 4 193
the cardinal of accessible and beginning access that can abide at any accustomed time
to anniversary translated host:
nat (inside) 1 10.0.0.0 255.0.0.0 100 50
When any of these numbers is zero, the cardinal of access is not limited.
The absolute behavior of PIX back the cardinal of beginning access is
reached for a host is altered in versions 5.2 and after (since 5.3); see the sidebar
for details.
Figure 4.12 illustrates how the TCP Intercept affection works.
TCP Intercept in PIX Versions 5.3 and Later
IBM Compatible IBM Compatible
SYN
SYN
SYN
SYN/ACK
ACK SYN
SYN/ACK
No packets are anesthetized to the central ACK
server until the three-way handshake is
complete.
After the PIX simulates the
handshake with the outside
client, it passes the connection
to the central server.