One solution to prevent or minimizing the risk of DoS/DDoS (Dsitributed Denial of Service) attack is to limit the tcp-half connection from outside to the inside or DMZ network (Usually every administrator of networks, put the public servers (web, ftp, mail servers, etc.) in the DMZ network).
TCP half connection is the TCP connection that not yet completed. One of the DoS/DDoS attack method is to flood the target with the TCP Syn packet. The objective of this attack is to fulfill the TCP connection slots of the target, so the legitimate traffic will not occur.
If your network use Cisco PIX Firewall, you can minimize the risk of this attack with controlling the TCP-Half (Embryonic) connection, with add an option in your Static NAT configuration like an example below:
static (dmz,outside) 123.1.2.3 192.168.100.12 netmask 255.255.255.255 tcp 0 1000
1000 is the limit of the TCP-Half connection that can occur between the outside network and the server in the DMZ network (192.168.100.12 is the local and 123.1.2.3 is the global IP Address).
At least there are two things that will happen for this scenario:
- If until the tcp half-closed time reach the timeout value and the ACK signal is never come, then the TCP half-connection will drop by PIX Firewall. You can set the TCP Half Connection timeout with the command: ” timeout half-closed hh[:mm[:ss]] “. The default time is 10 minutes.
- If the TCP Syn packet that coming from the outside network was spoofed active IP Address, then the real appliance that used the spoofed IP Address will send the TCP RST packet to the PIX Firewall, so the TCP half connection will be dropped.
Irwan Piesessa, born in Jakarta 27 years ago. passing CCIE Routing and Switching ( #20298 ) certification just now in the early of 2008. Want to be a specialist in Service Provider Technology and Network Security Field...
