DES-7200 Configuration Guide Chapter 8 DoS Protection Configuration
Under normal conditions, SYN flag (connection request flag) and FIN flag (connection
termination flag) cannot exist in the same TCP message, and RFC has no related
stipulations on how IP protocol stack shall deal with such a deformed message.
Therefore, the protocol stack of different operating systems will handle in different
ways after receiving such a message. By utilizing this feature, the attacker sends a
message with both SYN flag and FIN flag to identify the type of operating system, and
initiate further attacks against the target operating system.
2. TCP message with no flag
Under normal conditions, any TCP message will contain at least one of SYN, FIN,
ACK, RST and PSH flags. The first TCP message (TCP connection request message)
will contain SYN flag, and the following messages will all contain ACK flag. Based on
such an assumption, some protocol stack doesn’t have the corresponding handling
process for TCP message with no flag. Therefore, such a protocol stack may crash
upon receipt of such a message. The attacker will utilize this feature to attach the
target host.
3. TCP message with FIN flag but no ACK flag
Under normal conditions, except for the first message (SYN message), all other
messages will contain the ACK flag, including TCP connection termination message
(with FIN flag). However, some attackers may send a TCP message with FIN flag but
no ACK flag to the target host, leading to the crash of target host.
Self-consumption attack
In this condition, the attacker sends the message with the same Layer-4 port number
as the target host service to the target host, so that the target host sends the TCP
request and connection to itself. This attack quickly exhausts the target host
resources, even leads the system crash.
8.1.2 DoS Protection
Configuration Default DoS Protection
The default DoS protection configuration is given below:
Function Default setting
land attack protection Disabled
Invalid TCP message attack protection Disabled
Self-consumption message attack