10
.6
.3 Packet Layer 4 Sanity Checks
10
.6
.3.1 TCP SYN Packet with Data
The TCP 3-way connection
setup
handshake begins
with a
TCP SYN packet, and is followed by a
TCP SYN/ACK reply
.
If
the TCP SYN or
SYN/ACK
packets contain any additional
TCP data beyond
the TCP header, this
may indicate that
the packet is being used
for some type of denial
-of
-service attack
.
The Bridge engine offers a mechanism
to detect
TCP SYN and
SYN/ACK
packets that have
associated
TCP data, assign a
packet command, and
to treat
the packet as a security breach event
.
For IPv4, a
TCP SYN packet with data is identified if
the following is true:
(IPv4<IHL>*4 +
TCP<Data Off
set>*4) < (IPv4<
Total Length>)
For IPv6, a
TCP SYN packet with data is identified if
the following is true:
(
TCP<Data off
set>*4) < (IPv6<payload length>)
The packet is assigned one of
the following commands:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP
If
the packet is assigned a DROP command, it is considered a security breach event
(Section
10
.6
.5, Bridge Security Breach Events), and is counted by
the Bridge Drop Counter
(Section
10
.15
.1.1, Bridge Drop Counter)
.
Configuration
To configure
the TCP SYN-with-Data Command, use
the <
TCP SYN With Data Command> field in
the Bridge Command Configuration
3 Register (Table
325 p
. 2227)
.
10
.6
.3.2
TCP Without Full Header
A
TCP packet without
the full
TCP header is a potential security threat
.
A
TCP packet is considered
without full header if
the TCP header size is less than 20 bytes
. For
fragmented
packets it is required that
TCP header of
the first fragment is at least 20 bytes
.
The packet is assigned one of
the following commands:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP
If
the packet is assigned a DROP command it is considered a security breach event (Section
10
.6
.5,
Bridge Security Breach Events), and is counted by
the Bridge Drop Counter (Section
10
.15
.1.1,
Bridge Drop Counter)
.
Configuration
To configure
the TCP without Full Header Command, use
the <
TCP Without Full Header
Command> field in
the Bridge Command Configuration
3 Register (Table
325 p
. 2227) accordingly
.TCP over MAC Multicast/Broadcast
IPv4/6
TCP is a reliable point
-to-point L4 pro
tocol, and is not intended
to be transported over a MAC
Broadcast or Multicast
packet.
A
packet identified as an IPv4/6
TCP packet with a MAC DA a over Broadcast or Multicast address
is assigned one of
the following commands:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP
If
the packet is assigned a DROP command, it is considered a security breach event
(Section
10
.6
.5, Bridge Security Breach Events), and is counted by
the Bridge Drop Counter
(Section
10
.15
.1.1, Bridge Drop Counter)
.
Configuration
To configure
the TCP-over
-MC/BC Command, use
the <
TCP Over MC Command> field in
the
Bridge Command Configuration
3 Register (Table
325 p
. 2227)
.
10
.6
.3.4 Zero
TCP Flags
A
TCP packet with the flags all
set to zero is illegal and is a potential security threat
.
The packet is assigned one of
the following commands:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP
If
the packet is assigned a DROP command, it is considered a security breach event
(Section
10
.6
.5, Bridge Security Breach Events), and is counted by
the Bridge Drop Counter
(Section
10
.15
.1.1, Bridge Drop Counter)
.
Configuration
To configure
the TCP-Flags-Are
-Zero Command, use
the <
TCP Flages Zero Command> field in
the
Bridge Command Configuration
3 Register (Table
325 p
. 2227) accordingly
.
10
.6
.3.5
TCP Flags with FIN
-URG
-PSH
A
TCP packet with the TCP FIN, URG, and PSH
flags set is illegal and is a potential security threat
.
The packet is assigned one of
the following commands:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP
If
the packet is assigned a DROP command it is considered a security breach event (Section
10
.6
.5,
Bridge Security Breach Events), and is counted by
the Bridge Drop Counter (Section
10
.15
.1.1,
Bridge Drop Counte Configuration
To configure
the FIN
withURG
withPSH Command, use
the <FIN
With URG
With PSH Command>
field in
the Bridge Command Configuration
3 Register (Table
325 p
. 2227) accordingly
.
10
.6
.3.6
TCP Flags with SYN-FIN
A
TCP packet with the TCP SYN and FIN
flags both
set is illegal and is a potential security threat
.
The packet is assigned one of
the following commands:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP
If
the packet is assigned a DROP command it is considered a security breach event (Section
10
.6
.5,
Bridge Security Breach Events), and is counted by
the Bridge Drop Counter (Section
10
.15
.1.1,
Bridge Drop Counter)
.
Configuration
To configure
the SYNwithFIN Command, use
the <
SYN With FIN Command> field in
the Bridge
Command Configuration
3 Register (Table
325 p
. 2228) accordingly
.
10
.6
.3.7
TCP Flags with SYN-RST
A
TCP packet with the TCP SYN and RST
flags both
set is illegal and is a potential security threat
.
The packet is assigned one of
the following commands:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP
If
the packet is assigned a DROP command it is considered a security breach event (Section
10
.6
.5,
Bridge Security Breach Events), and is counted by
the Bridge Drop Counter (Section
10
.15
.1.1,
Bridge Drop Counter)
.
Configuration
To configure
the SYNwithRST Command, use
the <
TCP SYN With RST Command> field in
the
Bridge Command Configuration
3 Register (Table
325 p
. 2228) accordingly
.
10
.6
.3.8
TCP Flags with FIN
without ACK
A
TCP packet with the TCP FIN
flag set and ACK
flag re
set is a potential security threat
.
The packet is assigned one of
the following commands:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP If
the packet is assigned a DROP command it is considered a security breach event (Section
10
.6
.5,
Bridge Security Breach Events), and is counted by
the Bridge Drop Counter (Section
10
.15
.1.1,
Bridge Drop Counter)
.
Configuration
To configure
the FIN
withoutACK Command, use
the <
TCP FIN
without ACK Command> field in
the
Bridge Command Configuration
3 Register (Table
325 p
. 2227) accordingly
.
10
.6
.3.9 Zero
TCP/UDP Port
A
TCP/UDP
packet with a zero source or destination port is illegal and is a potential security threat
.
The packet is assigned one of
the following commands:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP
If
the packet is assigned a DROP command it is considered a security breach event (Section
10
.6
.5,
Bridge Security Breach Events), and is counted by
the Bridge Drop Counter (Section
10
.15
.1.1,
Bridge Drop Counter)
.
Configuration
To configure
the TCPUDPZeroPort Command, use
the <
TCPUDP Zero Port Command> field in
the
Bridge Command Configuration
3 Register (Table
325 p
. 2228) accordingly
.
10
.6
.3.10 Source IP (SIP) is Destination IP (DIP)
An IP
packet with a source IP address equal
to the destination IP address is a potential security
threat
.
The packet is assigned one of
the following commands:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP
If
the packet is assigned a DROP command it is considered a security breach event (Section
10
.6
.5,
Bridge Security Breach Events), and is counted by
the Bridge Drop Counter (Section
10
.15
.1.1,
Bridge Drop Counter)
.
Configuration
To configure
the SIPisDIP Command, use
the <SIP is DIP command> field in
the Bridge Command
Configuration2 Register (Table
324 p
. 2226) accordingly
TCP/UDP Source Port is Destination Port
A
TCP/UDP
packet with a source L4 port equal
to the destination L4 port is a potential security
threat
.
The packet is assigned one of
the following commands:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP
If
the packet is assigned a DROP command it is considered a security breach event (Section
10
.6
.5,
Bridge Security Breach Events), and is counted by
the Bridge Drop Counter (Section
10
.15
.1.1,
Bridge Drop Counter)
.
Configuration
To configure
the SPORTisDPORT Command, use
the <
TCP/UDP SPORT is DPORT Command>
field in
the Bridge Command Configuration
3 Register (Table
325 p
. 2227) accordingly
.
10
.6
.3.12 Fragmented ICMPv4
A fragmented ICMPv4
packet is a potential security threat
.
The packet is assigned one of
the following commands:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP
If
the packet is assigned a DROP command it is considered a security breach event (Section
10
.6
.5,
Bridge Security Breach Events), and is counted by
the Bridge Drop Counter (Section
10
.15
.1.1,
Bridge Drop Counter)
.
Configuration
To assign
the command
for fragmented ICMPv4
packets, use
the <Fragmented ICMP Command>
field in
the Bridge Command Configuration
1 Register (Table
32
3 p
. 2226) accordingly
. ARP MAC SA Mismatch
The Address Resolution Pro
tocol (ARP) is defined in RFC 826
. ARP
packets contain a MAC header
followed by
the ARP payload data
.
The ARP payload data contains a field called <source hardware address>
.
E
thernet ARP
packets must have a MAC header SA that matches
the ARP payload <source
hardware address>
. If this is not
the case,
the packet is suspicious and may be a denial
-of
-service
attack
.
Per ePort
the ARP SA mismatch check
for ARP
packets can be enabled
. If MAC SA mismatch is
discovered a global command is applied
to the ARP
packet. The global command options are:
FORWARD
MIRROR
TRAP
HARD DROP
SOFT DROP
If
the packet is assigned DROP command, it is considered a security breach event (Section
10
.6
.5,
Bridge Security Breach Events), and it is counted by
the Bridge Drop Counter (Section
10
.15
.1.1,
Bridge Drop Counter)
.
Configuration
To configure
the global ARP MAC SA Mismatch Command, use
the <ARP SA Mismatch
Enable> field in
the Bridge Global Configuration0 Register (Table
319 p
. 22
15)
.
To configure
the per
-ePort ARP MAC SA Mismatch Drop enable, use
the <ARP SA Mismatch
Command> field in
the Bridge Command Configuration0 Register (Table
322 p
. 222
3) 翻译一下
本文详细介绍了TCP协议中三次握手的过程及意义。通过SYN和ACK标志位的交互,确保了连接建立的可靠性。首次握手发送方设置SYN标志并发送初始化序列号(ISN),接收方以SYN-ACK回应确认序列号加一,最后完成握手通过ACK确认。
扫一扫
977
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
