< Home

Configuring Defense Against TCP Timestamps-based Attacks

Context

RFC 1323 introduces some enhanced TCP performance-related options and technologies, including the TCP Timestamps option and the TCP Protect Against Wrapped Sequence Numbers (TCP PAWS) technology. PAWS uses the TCP Timestamps option to protect against old duplicates from the same connection.

If an attacker sends a large number of TCP PAWS packets with a large Timestamps option value to a host that has a vulnerability, the host will set the value of the internal timer to the value of the Timestamps option when processing the packets. As a result, the host will discard subsequent valid packets because the Timestamps option values of these packets are smaller than the current one on the host. The host considers these packets out-of-date or invalid, causing a denial of service (DoS).

In this case, block the TCP packets whose Options field carries the Timestamps option or clear the Timestamps option.

Procedure

  1. In the user view, access the system view.

    system-view

  2. Configure an action for TCP packets whose options field contains the Timestamps option. 

    firewall defend tcp-timestamp { block | clear | allow }

    By default, TCP packets whose Options field carries the Timestamps option are allowed.

    Clearing the Timestamps option of a TCP packet makes RTTM and PAWS unavailable.

Parent Topic: Configuring the Defense Against Attacks Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >