SA39 : Blue Coat PacketShaper Advisory on Sockstress TCP Attacks
SUMMARY
There are 3 possible scenarios:
- attacks through PacketShaper,
- attacks targeting PacketShaper, and
- attacks in Xpress.
ISSUES
For the first and second scenario, PacketShaper is vulnerable temporarily, that is, during the attack. The impact of the attack is seen by failed connection requests and misclassified traffic. Once the attack stops, PacketShaper recovers within a minute or two. No long-term impact is observed.
Xpress impact: Attacks against the Xpress IP address on the box can temporarily impair the performance of the box as indicated above. The proposed loadshedding parameters below will mitigate the impact of these attacks.
Attacks through the PacketShaper over an Xpress tunnel to a target system can result in increased load on the system, resulting in similar effects to the case listed previously when traffic is going through the PacketShaper but is not passing through a tunnel.
MITIGATION
The combination of a few 'sys set' variables and CLI commands is somewhat effective in fending off attacking traffic. The following commands are suggested when an attack is suspected:
- sys set loadsheddingenable 2
- setup loadshedding clientFPM 100
- setup loadshedding failedFPM 100
- setup loadshedding enable
The value of 100 recommended for clientFPM and failedFPM is a starting point. Customers can work their way down to get the most defense while not blocking connections from legitimate hosts.
Please note since 'loadshedding' is designed to shed just enough traffic to keep the PacketShaper unit out of an overload condition rather than block all traffic from infected or misbehaving clients, connections may be slow, or even time out. 'hostdb info' is a useful command to see loadshedding at work.