Free DISA STIG and SRG Library | Vaulted


The network device must drop half-open TCP connections through filtering thresholds or timeout periods.

Finding ID
Rule ID
Cat II
Group Title
Devices not configured to filter and drop half-open connections.
Target Key

A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance of that acknowledgement is sent by the originator. An attacker's goal in this scenario is to cause a denial of service to the network or device by initiating a high volume of TCP packets, then never sending an acknowledgement, leaving connections in a half-opened state. Without the device having a connection or time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a TCP timeout threshold will instruct the device to shut down any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc. are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections with BGP neighbors across WAN links, values could be set to even tighter constraints.

Fix Text

Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.

Check Content

Review the device configuration to determine if threshold filters or timeout periods are set for dropping excessive half-open TCP connections. For timeout periods, the time should be set to 10 seconds or less. If the device cannot be configured for 10 seconds or less, it should be set to the least amount of time allowable in the configuration. Threshold filters will need to be determined by the organization for optimal filtering. If the device is not configured in a way to drop half-open TCP connections using filtering or timeout periods, this is a finding.


Information Assurance Officer