Embryonic Connection Timeout

manuadoor · ‎07-20-2010

Following are the snippet from cisco documentation in "http://cisco.biz/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml"

In this, it says embryonic connection timeout default is 0:0:30. In TCP. But with in 21 seconds after the first SYN ACK, the server will send an "RST" packet to tear down the connection attempt, and I understand that in 21 seconds, the SYN attack happens, ofcoz with multiple connection attempts the resource will not be available to accept a new connection, thus attacked.

So what is the point in keeping a higher value (30 sec) that a normal timout of 21 seconds for embryonic connection timeout.. ??

&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

In order to set the timeout for connections, embryonic connections (half-opened) and half-closed connections, enter this command:

hostname(config-pmap-c)#set connection {[embryonic hh[:mm[:ss]]] 
[half-closed hh[:mm[:ss]]] [tcp hh[:mm[:ss]]]}

Where embryonic hh[:mm[:ss] is a time between 0:0:5 and 1192:59:59. The default is 0:0:30. You can also set this value to 0, which means the connection never times out.

The half-closed hh[:mm[:ss] and tcp hh[:mm[:ss] values are a time between 0:5:0 and 1192:59:59. The default for half-closed is 0:10:0 and the default for tcp is 1:0:0. You can also set these values to 0, which means the connection never times out.

You can enter this command all on one line (in any order), or you can enter each attribute as a separate command. The command is combined on one line in the running configuration.

Embryonic (Half-opened) connection—An embryonic connection is a TCP connection request that has not finished the necessary handshake between source and destination.
Half-closed connection—Half closed connection is when the connection is only closed in one direction by sending FIN. However, TCP session is still maintained by peer.
Per-client-embryonic-max—The maximum number of simultaneous embryonic connections allowed per client, between 0 and 65535. The default is 0, which allows unlimited connections.
Per-client-max—The maximum number of simultaneous connections allowed per client, between 0 and 65535. The default is 0, which allows unlimited connections.

Panos Kampanakis · ‎07-20-2010

You are saying

But with in 21 seconds after
 the first SYN ACK, the server will send an "RST" packet to tear down 
the connection attempt.

I am not sure where this number was pulled from, but it could be 21s for a server, it could be 40s for another, it could be never for a third. The 30 seconds of embryonic timeout were chosen as a general default value that is low enough to not allow "too many" embryonics be established, but not break initializing connections too early either.

Of course you can configure that limit as you showed with the "set connection" command if your server and requirements are different.

I hope it helps.

PK

manuadoor · ‎07-20-2010

21 sec is the default value for Windows, Please find the attachment, which I have taken very recently for a trouble shooting.. and I have confirmed it from Windows documentation that ist 21 sec (3+6+12),

after 1st SYN ACK , if there is no ack it will restransmit SYN ACK and reset the timer to double (6), even after no responnse it will retransmit and reset the timer to 12 (double) so 3+6+12=21 sec. After 21 sec the server will send a RST, so default 30 sec not gonna work in this case right??

Regards,

Manu B.

http://manuadoor.blogspot.com

Panos Kampanakis · ‎07-20-2010

If the Windows server does send a RST after its timeout then yes, the 30 seconds of ASA embryonic timeout will not kick in at all.

PK

manuadoor · ‎07-20-2010

Could ypu confirm this, bcoz I dont think cisco missed this..

Panos Kampanakis · ‎07-20-2010

It is common sense more than anything.

If the server tears an embryonic conn before the firewall does then the timeout on the firewall does not take effect.

Again the 30 sec value was chosen to satisfy a general scenario, not specific Windown, Linux, Solaris etc.

PK

manuadoor · ‎07-20-2010

heheh.. But if it was based on common sense, it should be against the mininal
value..

manuadoor · ‎07-20-2010

As you said, its based on OS it seems,

http://www.docdroppers.org/wiki/index.php?title=Sysctl_Modifications

But even now am not really believe that 21 sec is fair enuf to have a SYN Attack in Windows... Do you?

Panos Kampanakis · ‎07-20-2010

It is all relative.

If someone was spoofing 1000conns/second you would have 20K embryonic conns within 20 seconds. Is that enough to crash the server?...who knows...

Now if there connection rate was 5K conns/second, is it enough to crash/overwhelm a server in 20seconds?...maybe...

So, it is kind of relative and at what poing someone is feeling safe.

My personal opinion is that a connection should establish in less than 5 seconds. So if it was me I would choose 10-15s. But like I said, it is all relative.

Please rate helpful posts.

PK