UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The A10 Networks ADC must protect against TCP SYN floods by using TCP SYN Cookies.


Overview

Finding ID Version Rule ID IA Controls Severity
V-237063 AADC-AG-000156 SV-237063r639636_rule Medium
Description
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target in an attempt to consume resources, making the device unresponsive to legitimate traffic. TCP SYN Cookies are commonly implemented by the Operating System on endpoints, but are also often implemented on network devices. A10 Networks ADCs provide protection against TCP SYN flood attacks by using SYN cookies. SYN cookies enable the device to continue to serve legitimate clients during a TCP SYN flood attack without allowing illegitimate traffic to consume system resources.
STIG Date
A10 Networks ADC ALG Security Technical Implementation Guide 2021-03-25

Details

Check Text ( C-40282r639634_chk )
Review the device configuration.

The following command displays the device configuration and filters the output on the string "syn-cookie":

show run | inc syn-cookie

If SYN cookies are not enabled, this is a finding.
Fix Text (F-40245r639635_fix)
The following command enables hardware-based SYN cookies:
syn-cookie on-threshold [num] off-threshold [num]

Note: Hardware-based SYN cookies are available only on some models. If the "on-threshold" and "off-threshold" options are omitted, SYN cookies are enabled and are always on regardless of the number of half-open TCP connections.