Technical Documentation

Protecting Against TCP Out-of-Order DoS Attacks

You can use the group of tcp resequence-buffers commands to help protect the router from TCP out-of-order packet DoS attacks.

TCP guarantees that applications receive data in order. This means that TCP buffers any out-of-order packets it receives until ordered delivery can occur.

To prevent connections from consuming too many resources, TCP limits the amount of data it accepts to the number of data bytes that the receiver is willing to receive and buffer. TCP does not take into account the buffering scheme that the receiver uses. If the receiver uses a fixed-size receive buffer (that is, buffering all packets) regardless of length, a packet that contains only one data byte might consume many data bytes of buffer space, but only one byte of TCP space.

Under these conditions, an attacker can send a large number of 1-byte packets to an E Series router in which each packet is buffered, consuming an entire packet buffer and eventually consuming a large amount of resources.

To defend against this sort of attack, you can set defaults and limits on the number of outstanding buffers on reordering queues. You can configure these defaults and limits on a per-router, per-virtual router, or per-connection within the virtual router basis.

You can protect the router from TCP out-of-order packet DoS attacks with the following tasks:

Limiting TCP Resequence Buffers per Router

To limit the number of outstanding buffers on the entire router:

Issue the tcp resequence-buffers global-maximum command in Global Configuration mode.
host1(config)#tcp resequence-buffers global-maximum
You can specify a value of zero (0) to turn off the limit. You can use the no version to revert the global maximum buffer value to its default, 1000 buffers.

Limiting TCP Resequence Buffers per Virtual Router

You can limit the number of outstanding buffers on existing or newly established virtual routers using the tcp resequence-buffers vr-maximum command and tcp resequence-buffers default-vr-maximum commands.

To specify the default buffer limit assigned to all virtual routers when the virtual router is established:

Issue the tcp resequence-buffers default-vr-maximum command in Global Configuration mode.
host1(config)#tcp resequence-buffers default-vr-maximum 200
You can specify a value of zero (0) to turn off the limit assignment. You can use the no version to revert the virtual router maximum value to its default, 100 buffers.

To define the maximum number of buffers that the current or specified virtual router can use:

Issue the tcp resequence-buffers vr-maximum command in Global Configuration mode.
host1(config)#tcp resequence-buffers vr-maximum
You can specify a value of zero (0) to turn off the limit assignment. You can use the no version to revert the virtual router maximum value to its default, 100 buffers.

Limiting TCP Resequence Buffers per Connection

You can limit the number of outstanding buffers on existing or newly established connections using the tcp resequence-buffers connection-maximum command and tcp resequence-buffers default-connection-maximum commands.

To define the maximum number of buffers that connections on the current or specified virtual router can use:

Issue the tcp resequence-buffers connection-maximum command in Global Configuration mode.
host1(config)#tcp resequence-buffers connection-maximum 50
You can specify a value of zero (0) to turn off the connection maximum. You can use the no version to revert the connection maximum value to its default, 10 buffers.

To specify the default buffer limit assigned to all TCP connections on a virtual router unless a specific limit is set for the virtual router in which the connection is established.

Issue the tcp resequence-buffers default-connection-maximum command in Global Configuration mode.
host1(config)#tcp resequence-buffers default-connection-maximum 100
You can specify a value of zero (0) to turn off the connection maximum. You can use the no version to revert the connection maximum value to its default, 10 buffers.

Choose Country

North America

Europe

Asia Pacific