Half-Open TCP Connection Problem

A DoS attack commonly uses half-open TCP connections.

• A firewall keeps the state of the TCP session in memory.

• Multiple half-open TCP connections can overrun firewalls.

  • Define timeout values for half-open TCP sessions:

    • Normal: small/medium values.

    • Under attack (based on traffic thresholds): very small values.

  • May be necessary to use external means to “clean” the firewall.

    • Resetting (half-open) connections from the internal servers.