TCP-UDP
TCP ensures control of data during their transfer. Its role is to check that IP packets sent are received in good order, without any loss of changes integrity-wise.
UDP may replace TCP in the event of minor problems, as it ensures a more fluid transfer since it does not control each of the transmission stages. For example, it is suitable for streaming applications (audio/video broadcast) for which packet loss is not vital. Indeed, during these transmissions, lost packets are ignored.
Profiles screen
IPS-Connection tab
Inspection
| Impose MSS limit | This option allows you to set an MSS (Maximum Segment Size) limit for the inspection of the profile. NOTE If this option is selected, you will enable the following field, which would allow you to set your limit. |
| MSS limit (in bytes) | Define your MSS limit, between 100 and 65535 bytes. |
| Rewrite TCP sequences with strong random values (arc4). | If this option is selected, TCP sequence numbers generated by the client and server will be overwritten and replaced with the Stormshield Network intrusion prevention engine, which will produce random sequence numbers. |
| Enable protection from repeated sending of ACK packets | If this option is selected, you are protecting yourself from session hijacking or “ACK” attacks. |
| Enable automatic adjustment of memory allocated to data tracking | If this option is selected, you will be allowing the firewall to dynamically adjust the memory allocated to data tracking. The maximum value of dynamically allocated memory is equal to the size of the TCP window divided by the MSS limit. When this checkbox is selected, the maximum value becomes 256. |
| Enable application tracking | This option allows you to log application identifiers in alarm and connection logs in order to generate a report based on these application identifiers. |
Protection against denial of service attacks
Connection restrictions
| Maximum number of TCP connections per source IP address (0 disables this protection) | This option makes it possible to restrict the number of TCP connections for a single source IP address. When the selected value is 0, no restrictions will be applied. IMPORTANT |
| Maximum number of UDP sessions per source IP address (0 disables this protection) | This option makes it possible to restrict the number of UDP sessions for a single source IP address. When the selected value is 0, no restrictions will be applied. IMPORTANT |
Frequency restrictions
| Shortest interval (s) between new TCP connections for a source IP address (0 disables this protection) | With this option, you can set the duration (in seconds) that a source IP address has to wait between the setup of two new TCP connections. If the interval detected between two new connections initiated by the same source IP address is lower than this value, protection will be activated. IMPORTANT |
| Shortest interval (s) between UDP sessions for a source IP address (0 disables this protection) |
With this option, you can set the duration (in seconds) that a source IP address has to wait between the setup of two new UDP sessions. If the interval detected between two new sessions initiated by the same source IP address is lower than this value, protection will be activated. IMPORTANT
|
Restrictions on initial TCP/UDP packets received
| Maximum number of SYN packets received per second for a source IP address | This option makes it possible to set the maximum number of initial TCP connections (SYN packets) received from a single source IP address per second. This option makes it possible to protect the firewall from SYN flooding (DDoS) attacks. |
| Maximum number of initial UDP packets received per second for a source IP address |
This option makes it possible to set the maximum number of initial UDP packets received from a single source IP address per second. This option makes it possible to protect the firewall from UDP flooding (DoS) attacks. |
NOTE
To track the values of simultaneous connection counters, use the command: sfctl -s host -v.
Timeout (seconds)
| Connection opening timeout (SYN) | Maximum time, in seconds, allowed to fully establish the TCP connection (SYN / SYN+ACK / ACK). It has to be between 10 and 60 (default value: 20 seconds). |
| TCP connection | Maximum duration in seconds for which the state of an idle connection is kept. It has to be between 30 and 604800 (default value: 3600 seconds). |
| UDP session | Maximum time, in seconds, the state of an idle UDP pseudo-connection is kept. It has to be between 30 and 604800 (default value: 120 seconds). |
| Connection closing timeout (FIN) | Maximum time, in seconds, allowed for the TCP connection closing phase (FIN+ACK / ACK / FIN+ACK / ACK). This value has to be between 10 and 3600 seconds (default value: 480 seconds). |
| Closed connections | Number of seconds a closed connection (closed state) is kept in the connection table. It has to be between 2 and 60 seconds (default value: 2 seconds). |
| Small TCP window | To avoid Denial of Service attacks, the counter determine the lifetime of a connection with a small TCP window (lower than 100 byte). This counter is reset when the first small window announcement is received. If no new message is received to increase the window size before this counter expires, the TCP connection will be closed. |
Support
| Disable the SYN proxy | If this option is selected, you will no longer be protected from “SYN” attacks, as the proxy will no longer filter packets. We advise you to disable this option for debug purposes only. |