Free DISA STIG and SRG Library | Vaulted

V-5646

The network device must drop half-open TCP connections through filtering thresholds or timeout periods.

Finding ID
NET0965
Rule ID
SV-15435r4_rule
Severity
Cat II
CCE
(None)
Group Title
Devices not configured to filter and drop half-open connections.
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance of that acknowledgement is sent by the originator. An attacker’s goal in this scenario is to cause a denial of service to the network or device by initiating a high volume of TCP packets, then never sending an acknowledgement, leaving connections in a half-opened state. Without the device having a connection or time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a TCP timeout threshold will instruct the device to shut down any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc. are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections with BGP neighbors across WAN links, values could be set to even tighter constraints.

Fix Text

Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.

Check Content

Review the device configuration to validate threshold filters or timeout periods are set for dropping excessive half-open TCP connections. For timeout periods, the time should be set to 10 seconds or less. If the device can not be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering. IOS Configuration Example: ip tcp synwait-time 10

Responsibility

Information Assurance Officer

IA Controls

ECSC-1