The sensor positioned to protect servers in the server farm or DMZ must provide protection from DoS SYN Flood attacks by dropping half open TCP sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
SRG-NET-000244-IDPS-000230	SRG-NET-000244-IDPS-000230	SRG-NET-000244-IDPS-000230_rule		Medium

Description
SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for a packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends. If the server farm is being monitored by an IDS as opposed to an IPS that can block traffic inline, the following alternatives can be implemented: Upon detection of a SYN flood attack; the IDS can dynamically push (or remotely configure) an ACL unto the upstream router; or multi-layer switch that can serve as the blocking device for the TCP SYN flood attack. Configure TCP Intercept on the server farm's first hop router, MLS, or firewall that is controlling access to the server farm subnet (VLAN).

Description

SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for a packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends. If the server farm is being monitored by an IDS as opposed to an IPS that can block traffic inline, the following alternatives can be implemented: Upon detection of a SYN flood attack; the IDS can dynamically push (or remotely configure) an ACL unto the upstream router; or multi-layer switch that can serve as the blocking device for the TCP SYN flood attack. Configure TCP Intercept on the server farm's first hop router, MLS, or firewall that is controlling access to the server farm subnet (VLAN).

STIG	Date
IDPS Security Requirements Guide (SRG)	2012-03-08

Details

Check Text ( C-43394_chk )
Review the IDPS sensor configuration and verify signatures are installed to protect against TCP SYN Flood attacks. If the sensor positioned to protect servers in the server farm or DMZs does not drop half open TCP sessions, this is a finding.

Fix Text (F-43394_fix)
Download and install signatures designed to protect against SYN Flood attacks.