The IDPS device positioned to protect servers in the server farm or DMZs must provide protection from DoS SYN Flood attacks by dropping half open TCP sessions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-19233	NET-IDPS-010	SV-21142r1_rule	EBBD-1	Medium

Description
SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for a packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.

Description

SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for a packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.

STIG	Date
IDS/IPS Security Technical Implementation Guide	2013-10-08

Details

Check Text ( C-23256r1_chk )
Review the IDPS configuration and verify the signatures are defined to protect against TCP SYN Flood attacks. If the server farm is being monitored by an IDS as opposed to an IPS that can block traffic inline, the following alternatives can be implemented: Upon detection of a SYN flood attack, the IDS can dynamically push (or remotely configure) an ACL unto the upstream router or multi-layer switch that can serve as the blocking device for the TCP SYN flood attack. Configure TCP Intercept on the server farm's first hop router, MLS, or firewall that is controlling access to the server farm sub-net (VLAN).

Check Text ( C-23256r1_chk )

Review the IDPS configuration and verify the signatures are defined to protect against TCP SYN Flood attacks. If the server farm is being monitored by an IDS as opposed to an IPS that can block traffic inline, the following alternatives can be implemented:

Upon detection of a SYN flood attack, the IDS can dynamically push (or remotely configure) an ACL unto the upstream router or multi-layer switch that can serve as the blocking device for the TCP SYN flood attack.

Configure TCP Intercept on the server farm's first hop router, MLS, or firewall that is controlling access to the server farm sub-net (VLAN).

Fix Text (F-19906r1_fix)
Apply current signatures to protect against SYN Flood attacks. If the server farm is being monitored by an IDS as opposed to an IPS that can block traffic inline, the following alternatives can be implemented: Upon detection of a SYN flood attack, the IDS can dynamically push (or remotely configure) an ACL unto the upstream router or multi-layer switch that can serve as the blocking device for the TCP SYN flood attack. Configure TCP Intercept on the server farm's first hop router, MLS, or firewall that is controlling access to the server farm sub-net (VLAN).

Fix Text (F-19906r1_fix)

Apply current signatures to protect against SYN Flood attacks. If the server farm is being monitored by an IDS as opposed to an IPS that can block traffic inline, the following alternatives can be implemented:

Upon detection of a SYN flood attack, the IDS can dynamically push (or remotely configure) an ACL unto the upstream router or multi-layer switch that can serve as the blocking device for the TCP SYN flood attack.

Configure TCP Intercept on the server farm's first hop router, MLS, or firewall that is controlling access to the server farm sub-net (VLAN).