How to Determine if DoS Classified TCP SYN Cookie Alarm Activates and Triggers Maximal Rate

How to Determine if DoS Classified TCP SYN Cookie Alarm Activates and Triggers Maximal Rate

35165
Created On 09/25/18 17:50 PM - Last Modified 06/09/23 03:14 AM


Resolution


Overview

This document describes how to determine if the configured DoS Classified TCP SYN cookie alarm activates, then triggers the maximal rate at the correct threshold.

 

PAN-OS supports SYN cookie and Random Early Drop (RED) for protection against such SYN floods. SYN Floods or Flooding is a host or a network with incomplete TCP connections. The attacker eventually fills up the memory buffers or spikes CPU utilization of the victim device. When the buffers are full or the CPU is overwhelmed, the host cannot process new TCP connection requests. The flood might even damage the victim's operating system. Either way, the attack disables the victim and normal operations.

 

SYN Cookie is a near stateless SYN proxy mechanism. Unlike traditional SYN proxy mechanisms, when a SYN segment is received, SYN cookie doesn't set up a session or do policy or route lookups. It also doesn't maintain a connection request queue. This enables the Palo Alto Networks firewall to maintain optimal CPU loads and prevent exhaustion of packet buffers. With SYN Cookie, the firewall acts as man-in-the-middle for the TCP handshake.

 

Topology:

Client ------------------------ (Untrust)PA(DMZ) --------------------------- Server

 

Steps

  1. Configure DoS Protection Profile.
    Screen Shot 2014-03-16 at 7.39.10 PM.png
  2. Configure DoS Policy under Policies > DoS Protection.
    Screen Shot 2014-03-16 at 7.08.59 PM.png
  3. Run DoS Attack tool on client simulating TCP SYN Attack at activate rate threshold.
    Screen Shot 2014-03-16 at 7.05.49 PM.png
  4. Capture packets on the client.
    Screen Shot 2014-03-16 at 7.11.14 PM.png
  5. Analyze packet capture through Wireshark. The SYN cookie is activated when the activate threshold of 6 is reached. The SYN cookie has a window size of 0.
    Note: To use Wireshark filter tcp.flags.syn == 1 and include in the column "Calculated Window Size" with field tcp.window_size.
    Screen Shot 2014-03-16 at 7.16.12 PM.png
  6. Run the DoS Attack tool on client simulating TCP SYN Attack at configured alarm rate threshold.
    <Screen Shot 2014-03-16 at 7.34.02 PM.png
    From the WebGUI, go to Monitor > Log > Threat, check logs where packets-per-second rate creates a log like the following example. This is the alarm rate trigger:
    Screen Shot 2014-03-12 at 10.14.29 AM.png
  7. Run DoS Attack tool on client simulating TCP SYN Attack at the maximal rate threshold.
    Screen Shot 2014-03-16 at 7.40.10 PM.png
    Issue the CLI command > show counter global | match dos. This is the maximal rate trigger.
    Screen Shot 2014-03-16 at 7.47.27 PM.png

owner: jlunario
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKNCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language