The network device must drop half-open TCP connections through filtering thresholds or timeout periods.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-5646	NET0965	SV-15437r4_rule	ECSC-1	Medium

Description
A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance of that acknowledgement is sent by the originator. An attacker’s goal in this scenario is to cause a denial of service to the network or device by initiating a high volume of TCP packets, then never sending an acknowledgement, leaving connections in a half-opened state. Without the device having a connection or time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a TCP timeout threshold will instruct the device to shut down any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc. are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections with BGP neighbors across WAN links, values could be set to even tighter constraints.

Description

A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance of that acknowledgement is sent by the originator. An attacker’s goal in this scenario is to cause a denial of service to the network or device by initiating a high volume of TCP packets, then never sending an acknowledgement, leaving connections in a half-opened state. Without the device having a connection or time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a TCP timeout threshold will instruct the device to shut down any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc. are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections with BGP neighbors across WAN links, values could be set to even tighter constraints.

STIG	Date
Infrastructure Router Security Technical Implementation Guide Juniper	2017-06-27

Details

Check Text ( C-12902r7_chk )
Review the device configuration to validate threshold filters or timeout periods are set for dropping excessive half-open TCP connections. For timeout periods, the time should be set to 10 seconds or less. If the device can not be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering. JUNOS Configuration Example: firewall { policer TCP-SYN-Policer { if-exceeding { bandwidth-limit 500k; burst-size-limit 15k; } then discard; } family inet { filter DOS-Protect { . . . /* Term tcp-syn-fin-limit: Rate limit TCP packets with SYN/FIN/RST flags. */ term tcp-syn-fin-limit { from { protocol tcp; port [bgp ldp snmp snmptrap telnet ftp ftp-data ssh]; tcp-flags “syn \| fin \| rst”; } then policer TCP-SYN-Policer; } . . }

Check Text ( C-12902r7_chk )

Review the device configuration to validate threshold filters or timeout periods are set for dropping excessive half-open TCP connections.

For timeout periods, the time should be set to 10 seconds or less. If the device can not be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering.

JUNOS Configuration Example:
firewall {
policer TCP-SYN-Policer {
if-exceeding {
bandwidth-limit 500k;
burst-size-limit 15k;
}
then discard;
}

family inet {
filter DOS-Protect {
.
.
.
/* Term tcp-syn-fin-limit: Rate limit TCP packets with SYN/FIN/RST flags. */
term tcp-syn-fin-limit {
from {
protocol tcp;
port [bgp ldp snmp snmptrap telnet ftp ftp-data ssh];
tcp-flags “syn | fin | rst”;
}
then policer TCP-SYN-Policer;
}
.
.
}

Fix Text (F-5557r6_fix)
Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.