- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Restrictions for Configuring Firewall TCP SYN Cookie
- Information About Configuring Firewall TCP SYN Cookie
- How to Configure Firewall TCP SYN Cookie
Configuring Firewall TCP SYN Cookie
The Firewall TCP SYN Cookie feature protects your firewall from TCP SYN-flooding attacks. TCP SYN-flooding attacks are a type of denial-of-service (DoS) attack. Usually, TCP synchronization (SYN) packets are sent to a targeted end host or a range of subnet addresses behind the firewall. These TCP SYN packets have spoofed source IP addresses. A spoofing attack is when a person or a program pretends to be another by falsifying data and thereby gaining an illegitimate advantage. TCP SYN-flooding can take up all resources on a firewall or an end host, thereby causing DoS to legitimate traffic. To prevent TCP SYN-flooding on a firewall and the end hosts behind the firewall, you must configure the Firewall TCP SYN Cookie feature.
- Finding Feature Information
- Restrictions for Configuring Firewall TCP SYN Cookie
- Information About Configuring Firewall TCP SYN Cookie
- How to Configure Firewall TCP SYN Cookie
- Configuration Examples for Firewall TCP SYN Cookie
- Additional References for Firewall TCP SYN Cookie
- Feature Information for Configuring Firewall TCP SYN Cookie
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Configuring Firewall TCP SYN Cookie
Because a default zone does not support zone type parameter map, you cannot configure the Firewall TCP SYN Cookie feature for a default zone.
The Firewall TCP SYN Cookie feature does not support per-subscriber firewall.
Information About Configuring Firewall TCP SYN Cookie
TCP SYN Flood Attacks
The Firewall TCP SYN Cookie feature implements software to protect the firewall from TCP SYN-flooding attacks, which are a type of DoS attack.
A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a website, accessing e-mail, using FTP service, and so on.
SYN flood attacks are divided into two types:
Host flood—SYN flood packets are sent to a single host aiming to utilize all resources on that host.
Firewall session table flood—SYN flood packets are sent to a range of addresses behind the firewall, with the aim of exhausting the session table resources on the firewall and thereby denying resources to the legitimate traffic going through the firewall.
The Firewall TCP SYN Cookie feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. The firewall intercepts TCP SYN packets that are sent from clients to servers. When the TCP SYN cookie is triggered, it acts on all SYN packets that are destined to the configured VPN Routing and Forwarding (VRF) or zone. The TCP SYN cookie establishes a connection with the client on behalf of the destination server and another connection with the server on behalf of the client and knits together the two half-connections transparently. Thus, connection attempts from unreachable hosts will never reach the server. The TCP SYN cookie intercepts and forwards packets throughout the duration of the connection.
The Firewall TCP SYN Cookie feature provides session table SYN flood protection for the global routing domain and for the VRF domain. Because the firewall saves sessions in a global table, you can configure a limit to the number of TCP half-opened sessions. A TCP half-opened session is a session that has not reached the established state. In a VRF-aware firewall, you can configure a limit to the number of TCP half-opened sessions for each VRF. At both the global level and at the VRF level, when the configured limit is reached, the TCP SYN cookie verifies the source of the half-opened sessions before creating more sessions.
How to Configure Firewall TCP SYN Cookie
Configuring Firewall Host Protection
TCP SYN packets are sent to a single host with the aim of taking over all resources on the host. You can configure host protection only for the source zone. Configuring protection on the destination zone will not protect the destination zone from TCP SYN attacks.
Perform this task to configure the firewall host protection.
Note | You can specify the show commands in any order. |
1.
enable
2.
configure
terminal
3.
parameter-map
type
inspect-zone
zone-pmap-name
4.
tcp
syn-flood
rate
per-destination
maximum-rate
5.
max-destination
limit
6.
exit
7.
zone
security
zone-name
8.
protection
parameter-map-name
9.
exit
10.
show
parameter-map
type
inspect-zone
zone-pmap-name
11.
show
zone
security
12.
show
policy-firewall
stats
zone
zone-name
DETAILED STEPS
Configuring Firewall Session Table Protection
TCP SYN packets are sent to a range of addresses behind the firewall aiming to exhaust the session table resources on the firewall, thereby denying resources to the legitimate traffic going through the firewall. You can configure firewall session table protection either for the global routing domain or for the VRF domain.
- Configuring Firewall Session Table Protection for Global Routing Domain
- Configuring Firewall Session Table Protection for VRF Domain
Configuring Firewall Session Table Protection for Global Routing Domain
Perform this task to configure firewall session table protection for global routing domains.
Note | A global parameter map takes effect on the global routing domain and not at the router level. |
1.
enable
2.
configure
terminal
3.
parameter-map
type
inspect
global
4.
tcp
syn-flood
limit
number
5.
end
6.
show
policy-firewall
stats
vrf
global
DETAILED STEPS
Configuring Firewall Session Table Protection for VRF Domain
Perform this task to configure the firewall session table protection for VRF domains.
Note | You can specify the show commands in any order. |
1.
enable
2.
configure
terminal
3.
parameter-map
type
inspect-vrf
vrf-pmap-name
4.
tcp
syn-flood
limit
number
5.
exit
6.
parameter-map
type
inspect
global
7.
vrf
vrf-name
inspect
parameter-map-name
8.
end
9.
show
parameter-map
type
inspect-vrf
10.
show
policy-firewall
stats
vrf
vrf-name
DETAILED STEPS
Configuration Examples for Firewall TCP SYN Cookie
Example Configuring Firewall Host Protection
The following example shows how to configure the firewall host protection:
Router(config)# parameter-map type inspect-zone zone-pmap
Router(config-profile)# tcp syn-flood rate per-destination 400
Router(config-profile)# max-destination 10000
Router(config-profile)# exit
Router(config)# zone security secure-zone
Router(config-sec-zone)# protection zone-pmap
Example Configuring Firewall Session Table Protection
Global Parameter Map
The following example shows how to configure firewall session table protection for global routing domains:
Router# configure terminal
Router(config)# parameter-map type inspect global
Router(config-profile)# tcp syn-flood limit 500
Router(config-profile)# end
Inspect-VRF Type Parameter Map
The following example shows how to configure firewall session table protection for VRF domains:
Router# configure terminal
Router(config)# parameter-map type inspect-vrf vrf-pmap
Router(config-profile)# tcp syn-flood limit 200
Router(config-profile)# exit
Router(config)# parameter-map type inspect global
Router(config-profile)# vrf vrf1 inspect vrf-pmap
Router(config-profile)# end
Additional References for Firewall TCP SYN Cookie
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Configuring Firewall TCP SYN Cookie
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Firewall TCP SYN Cookie |
Cisco IOS XE Release 3.3S |
The Firewall TCP SYN Cookie feature protects your firewall from TCP SYN-flooding attacks. TCP SYN-flooding attacks are a type of DoS attack. Usually, TCP SYN packets are sent to a targeted end host or a range of subnet addresses behind the firewall. These TCP SYN packets have spoofed source IP addresses. A spoofing attack is when a person or a program pretends to be another by falsifying data and thereby gaining an illegitimate advantage. The TCP SYN-flooding can take up all the resource on a firewall or an end host, thereby causing DoS to legitimate traffic. To prevent TCP SYN-flooding on a firewall and the end hosts behind the firewall, you must configure the Firewall TCP SYN Cookie feature. The following commands were introduced or modified: parameter-map type inspect-vrf, parameter-map type inspect-zone, parameter-map type inspect global, show policy-firewall stats, tcp syn-flood rate per-destination, tcp syn-flood limit. |