Table of Contents 1 TCP Proxy Configuration 1-1

Transcription

1 Table of Contents 1 TCP Proxy Configuration 1-1 Overview 1-1 Introduction to SYN Flood Attack 1-1 Introduction to TCP Proxy 1-1 How TCP Proxy Works 1-2 Configuring TCP Proxy 1-3 Configuration Task List 1-3 Performing Global TCP Proxy Setting 1-4 Enabling TCP Proxy for a Security Zone 1-4 Adding a Protected IP Address Entry 1-4 Displaying Information About Protected IP Address Entries 1-5 TCP Proxy Configuration Example 1-6 Configuration Guidelines 1-8 i

2 1 TCP Proxy Configuration Overview Introduction to SYN Flood Attack As a general rule, the establishment of a TCP connection is a three-way handshake: 1) The request originator sends a SYN message to the target server. 2) After receiving the SYN message, the target server establishes a TCP connection in the SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response. 3) After receiving the SYN ACK message, the originator returns an ACK message. Thus, the TCP connection is established. Attackers may exploit the TCP connection establishment to mount SYN flood attacks. Attackers send a large number of SYN messages to the server to establish TCP connections, but they never make any response to SYN ACK messages. As a result, a large amount of incomplete TCP connections are established, making the server unable to handle services normally. Introduction to TCP Proxy The TCP proxy feature can protect the server from SYN flood attacks. The TCP client sets up a TCP connection with the TCP server through a TCP proxy. The TCP proxy intercepts SYN requests from the TCP clients and verifies whether the requests are SYN flood attack packets. If so, the TCP proxy drops the requests, thus protecting the TCP server against SYN flood attacks. TCP proxy can work in two modes: Unidirectional proxy: Only processes packets from the TCP client Bidirectional proxy: Processes packets from both the TCP client and TCP server. You can choose a proper mode according to your network scenario. As shown in Figure 1-1, packets from the TCP client to the server go through the TCP proxy, while packets from the TCP server to the client are transferred by the Router in between. Thus unidirectional proxy is required. Figure 1-1 Network diagram for unidirectional proxy TCP proxy TCP client Router TCP server 1-1

3 As shown in Figure 1-2, all packets between the TCP client and TCP server go through the TCP proxy, and thus you can configure unidirectional proxy or bidirectional proxy as desired. Figure 1-2 Network diagram for unidirectional/bidirectional proxy How TCP Proxy Works Unidirectional proxy Figure 1-3 shows the data exchange process of unidirectional proxy. Figure 1-3 Data exchange process of unidirectional proxy TCP client TCP proxy TCP server 1) SYN 2) SYN ACK (invalid sequence number) 3) RST 4) SYN (retransmitting) 7) ACK 6) SYN ACK 5) SYN (forwarding) 8) ACK (forwarding) After receiving a SYN message from a client to the protected server (such a message matches a protected IP address entry), the TCP proxy sends back a SYN ACK message with a wrong sequence number on behalf of the server, that is, using the IP address and port number of the server. If the client is legitimate, the TCP proxy will receive an RST message, and will receive a SYN message again from the client. The TCP proxy then directly forwards the SYN, SYN ACK, and ACK messages to establish a TCP connection between the client and the server. After the TCP connection is established, the TCP proxy forwards the subsequent packets of the connection without additional processing. Bidirectional proxy Figure 1-4 shows the data exchange process of bidirectional proxy. 1-2

4 Figure 1-4 Data exchange process of bidirectional proxy TCP client TCP proxy TCP server 1) SYN 2) SYN ACK (win=0) 3) ACK 4) SYN 5) SYN ACK (win=n) 6) ACK 7) ACK (win=n) After receiving a SYN message from a client to the protected server (such a message matches a protected IP address entry), the TCP proxy sends back a SYN ACK message with the window size being 0 on behalf of the server. If the client is legitimate, the TCP proxy will receive an ACK message, and then sets up a connection between itself and the server through a three-way handshake on behalf of the client. As two TCP connections are established, different sequence numbers are used. They are translated by the TCP proxy for data exchange between the client and the server. Configuring TCP Proxy Configuration Task List Perform the tasks in Table 1-1 to configure TCP proxy. Table 1-1 TCP proxy configuration task list Task Performing Global TCP Proxy Setting Enabling TCP Proxy for a Security Zone Adding a Protected IP Address Entry Configure the Device to Automatically Add a Protected IP address Entry Displaying Information About Protected IP Address Entries Remarks Optional The configuration is effect on all security zones. By default, bidirectional proxy is used. Required By default, the TCP proxy feature is disabled globally. At least one method is required. You can add protected IP address entries by either of the methods: Static: Add entries manually. By default, no such entries are configured in the system. Dynamic: Select Intrusion Detection > Traffic Abnormality > SYN Flood, and then select the Add protected IP entry to TCP Proxy check box. After the configuration, the TCP proxy-enabled device will automatically add protected IP address entries when detecting SYN flood attacks. For more information, see Intrusion Detection Configuration. Optional You can view information about all protected IP address entries. 1-3

5 Performing Global TCP Proxy Setting Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree to enter the page shown in Figure 1-5. The Global Configuration area allows you to perform global setting for TCP proxy. Figure 1-5 TCP proxy configuration Table 1-2 describes the global configuration items of TCP proxy. Table 1-2 Global configuration items of TCP proxy Item Unidirection/Bidirediction Description Set the global proxy mode of TCP proxy. Return to TCP proxy configuration task list. Enabling TCP Proxy for a Security Zone Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree to enter the page shown in Figure 1-5. You can enable/disable the TCP proxy feature for a security zone in the Zone Configuration area. The icon indicates that the TCP proxy feature is disabled for the corresponding security zone. You can click the Enable button beside the icon to enable the feature. The icon indicates that the TCP proxy feature is enabled for the corresponding security zone. You can click the Disable button beside the icon to disable the feature. Return to TCP proxy configuration task list. Adding a Protected IP Address Entry Select Intrusion Detection > TCP Proxy > Protected IP Configuration to enter the page shown in Figure 1-6, which lists information about protected IP address entries and the relative statistics. Click Add to enter the page for configuring a protected IP address entry, as shown in Figure

6 Figure 1-6 Protected IP address entries Figure 1-7 Protected IP address entry configuration page Table 1-3 describes the protected IP address entry configuration items. Table 1-3 Protected IP address entry configuration items Item Protected IP Address Port Number Description Type the IP address to be protected by the TCP proxy. It is the destination IP address of the TCP connection. Type the destination port of the TCP connection. The option any specifies that TCP proxy services TCP connection requests to any port of the server at the destination IP address. Return to TCP proxy configuration task list. Displaying Information About Protected IP Address Entries Select Intrusion Detection > TCP Proxy > Protected IP Configuration to enter the page shown in Figure 1-6, which lists information about protected IP address entries. Table 1-4 describes information about protected IP address entries. Table 1-4 Information about protected IP address entries Item Description Protected IP Port Number Type Lifetime(min) IP addresses protected by the TCP proxy feature. Destination port of the TCP connection. The option any specifies that TCP proxy services TCP connection requests to any port of the server at the destination IP address. The protected IP address entries can be static or dynamic. Lifetime for the IP address entry under protection. This item is displayed as for static IP address entries. When the time reaches 0, the protected IP address entry will be deleted. 1-5

7 Item Number of Rejected Description Amount of requests for TCP connection requests matching the protected IP address entry but were proved to be illegitimate. Return to TCP proxy configuration task list. TCP Proxy Configuration Example Network requirements As shown in Figure 1-8, configure bidirectional TCP proxy on Device to protect Server A, Server B, and Server C against SYN flood attacks. Add a protected IP address entry for Server A manually and configure dynamic TCP proxy for the other servers. Figure 1-8 Network diagram for TCP proxy configuration Server A /24 IP network GE0/ /24 Untrust Device GE0/ /24 Trust Server B Server C Configuration procedure # Assign IP addresses for the interfaces and then add interface GigabitEthernet 1/1 to zone Untrust, and GigabitEthernet 1/2 to zone Trust. (Omitted) # Set the TCP proxy mode to bidirectional and enable TCP proxy for zone Untrust. Select Intrusion Detection > TCP Proxy > TCP Proxy Configuration from the navigation tree. Select the bidirectional mode and enable TCP proxy for zone Untrust as shown in Figure 1-9. Figure 1-9 Select the bidirectional mode and enable TCP proxy for zone Untrust Select Bidirection for the global setting. Click Apply. 1-6

8 In the Zone Configuration area, click Enable for the Untrust zone. # Add an IP address entry manually for protection. Select Intrusion Detection > TCP Proxy > Protected IP Configuration from the navigation tree. Then on the right pane, click Add. Add an IP address entry for protection as shown in Figure Figure 1-10 Add an IP address entry for protection Type in the Protected IP Address text box. Click Apply. # Configure the SYN flood detection feature, specifying to automatically add protected IP address entries. Select Intrusion Detection > Traffic Abnormality > SYN Flood from the navigation tree. In the Attack Prevention Policy area, configure the action to be taken upon SYN flood diction as configurations shown in Figure Figure 1-11 Configure the action to be taken upon SYN flood detection Select Trust from the Security Zone drop-down list. Select the Add protected IP entry to TCP Proxy check box in the Attack Prevention Policy area. Click Apply. In the SYN Flood Configuration area, click Add. Configure global settings as shown in Figure

9 Figure 1-12 Configure global settings Select Global Configuration of Security Zone. Use the default values for the connection rate threshold and half connection count threshold. Click Apply. Configuration Guidelines Follow these guidelines when configuring TCP proxy: 1) TCP proxy is effective only for incoming traffic of the security zone. 2) The performance of the Web-based management system may be degraded if the system s IP address and port number are in the protected IP entry list. 1-8