Protecting Against TCP RST or SYN DoS Attacks

You can use the tcp ack-rst-and-syn command to help protect the router from denial of service (DoS) attacks.

Normally, when it receives an RST or SYN message for an existing connection, TCP attempts to shut down the TCP connection. This action is expected under normal conditions, but someone maliciously generating otherwise valid RST or SYN messages can cause problems for network applications and the network as a whole.

When you enable the tcp ack-rst-and-syn command, the router challenges any RST or SYN messages that it receives by sending an ACK message back to the expected source of the message. The source reacts in one of the following ways:

• If the source did send the RST or SYN message, it recognizes the ACK message to be spurious and resends another RST or SYN message. The second RST or SYN message causes the router to shut down the connection.
• If the source did not send the RST or SYN message, the source accepts the ACK message as part of an existing connection. As a result, the source does not send another RST or SYN message and the router does not shut down the connection.

  Note: Enabling this command slightly modifies the way TCP processes RST or SYN messages to ensure that they are genuine.

tcp ack-rst-and-syn

• Use to help protect the router from TCP RST and SYN denial of service attacks.
• Example

  host1(config)#tcp ack-rst-and-syn

• Use the no version to disable this protection (the default mode).
• See tcp ack-rst-and-syn

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.