User guide

Security Security command reference

iMG/RG Software Reference Manual (IPNetwork Functions)

4-100

Example --> security set IDS MaxPING 25

4.2.7.1.51 SECURITY SET IDS MAXTCPOPENHANDSHAKE

Syntax SECURITY SET IDS MAXTCPOPENHANDSHAKE <MAX>

Description This command sets the maximum number of unfinished TCP handshaking sessions per

second that are allowed before a SYN Flood is detected. SYN Flood is a DOS (Denial of

Service) attack. When establishing normal TCP connections, three packets are

exchanged:

• 1 A SYN (synchronize) packet is sent from the host to the network server

• 2 A SYN/ACK packet is sent from the network server to the host

• 3 An ACK (acknowledge) packet is sent from the host to the network server

If the host sends unreachable source addresses in the SYN packet, the server sends the

SYN/ACK packets to the unreachable addresses and keeps resending them. This creates

a backlog queue of unacknowledged SYN/ACK packets. Once the queue is full, the sys-

tem will ignore all incoming SYN requests and no legitimate TCP connections can be

established.

Once the maximum number of unfinished TCP handshaking sessions is reached, an

attempted DOS attack is detected. The suspected attacker is blocked for the time limit

specified in the security set IDS DOSattackblock command.

Options The following table gives the range of values for each option that can be specified with

this command and a Default Value (if applicable).

Example --> security set IDS MaxTCPopenhandshake 150

Option Description Default Value

max The maximum number (per second) of pings that

are allowed before an Echo Storm attempt is

detected.

Option Description Default Value

max The maximum number (per second) of unfinished

TCP handshaking sessions that are allowed before a

SYN Flood attempt is detected..

100