NET0965 - The network device must drop half-open TCP connections through filtering thresholds or timeout periods.

Information

A TCP connection consists of a three-way handshake message sequence. A connection request is transmitted by the originator, an acknowledgement is returned from the receiver, and then an acceptance of that acknowledgement is sent by the originator.

An attacker's goal in this scenario is to cause a denial of service to the network or device by initiating a high volume of TCP packets, then never sending an acknowledgement, leaving connections in a half-opened state. Without the device having a connection or time threshold for these half-opened sessions, the device risks being a victim of a denial of service attack. Setting a TCP timeout threshold will instruct the device to shut down any incomplete connections. Services such as SSH, BGP, SNMP, LDP, etc. are some services that may be prone to these types of denial of service attacks. If the router does not have any BGP connections with BGP neighbors across WAN links, values could be set to even tighter constraints.

Solution

Configure the device to drop half-open TCP connections through threshold filtering or timeout periods.

See Also

https://iasecontent.disa.mil/stigs/zip/U_Network_Infrastructure_Router_L3_Switch_V8R27_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-12, CAT|II, CSCv6|16.4, Rule-ID|SV-15437r4_rule, STIG-ID|NET0965, Vuln-ID|V-5646

Plugin: Juniper

Control ID: e7a12fff5c78d5d3443ac4031e23cbaa5aab7e48191017e504f76b991ad43908