UCF STIG Viewer Logo

The network device must drop half-open TCP connections through filtering thresholds or timeout periods.


Overview

Finding ID Version Rule ID IA Controls Severity
V-5646 NET0965 SV-5646r5_rule Medium
Description
A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance of that acknowledgement is sent by the originator. An attacker's goal in this scenario is to cause a denial of service to the network or device by initiating a high volume of TCP packets, then never sending an acknowledgement, leaving connections in a half-opened state. Without the device having a connection or time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a TCP timeout threshold will instruct the device to shut down any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc. are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections with BGP neighbors across WAN links, values could be set to even tighter constraints.
STIG Date
Firewall Security Technical Implementation Guide 2017-12-07

Details

Check Text ( C-3604r11_chk )
Review the device configuration to determine if threshold filters or timeout periods are set for dropping excessive half-open TCP connections.

For timeout periods, the time should be set to 10 seconds or less. If the device cannot be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering.

If the device is not configured in a way to drop half-open TCP connections using filtering or timeout periods, this is a finding.
Fix Text (F-5557r6_fix)
Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.