Outdated hosts not closing connections causing High CPU Usage - RST, SYN, FIN Floods

Description

After upgrading to SonicOS 5.9.1.6 (or above) on the 5th Gen devices, 6.2.5.3 (or above) on 6th Gen devices and Sonic OS 7.0.1(or above) on Gen 7 devices, , the SonicWall appliance may show High CPU Utilization associated with RST or SYN or FIN Flood events from multiple internal sources and external destinations.

NOTE: This option has been disabled by default on latest SonicOS such as 5.9.1.13, 6.5.4.4 and 7.0.1 - however if you apply a firmware upgrade without factory default, the option will remain enabled.

Cause

When the SonicWall receives an invalid RST packet, it either:

  • Forwards this packet to the required destination and closes the connection. Subsequent packet received on this connection would be dropped with a "Connection Cache Add Failed" drop code.
        OR
  • Drops the packet with "invalid TCP Flag" drop code.

However, in firmware version 5.9.1.6 and above, the firewall sends challenge ACKs to the clients on receiving invalid RST packets. The clients respond to this with more RST packets. This causes RST floods on the firewall (appears to be generated from the devices in the LAN zone, or coming in from the WAN zone). The continuous generation of ACKs by the firewall results in high CPU utilization.

This issue can be caused due to clients or servers being non-compliant with RFC 5961 (protects against vulnerability CVE-2004-0230), which pertains to attackers exploiting long-lived TCP Connections (like BGP) and creating DoS attacks by generating SYN packet, or RST packet, or sending data to start an ACK war. 

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


On latest firmware versions ( 7.0.1 and above ), the option "Enforce strict TCP compliance with RFC 5961" has been moved in the diag page of the firewall. The Diag page can be reached by typing in the LAN IP of the SonicWall in the browser, with a IP/sonicui/7/m/mgmt/settings/diag at the end.

Image


Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


On latest firmware versions ( 6.2.x.x and above ), the option "Enforce strict TCP compliance with RFC 5961" has been moved in the diag page of the firewall accessible replacing the word "main" with "diag" in the URL of the firewall's page.

Image


Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.


There are two ways to resolve this issue:

  1. Update the systems that are not compliant to RFC 5961.
  2. Disable the RFC strict compliance within the SonicWall (available on 5.9.1.7 and above). 

To resolve this issue, please upgrade at least to SonicOS 5.9.1.7 or 6.2.5.3 (or later versions).

You can then to disable RFC Strict Compliance as a workaround for environments with legacy clients or servers that do not comply with RFC 5961.

After upgrading to the versions above, follow these steps:

  1. Go to Firewall Settings | Flood Protection
  2. Disable the "Enforce Strict Compliance with RFC 5961".

Image

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
TZ Series
not finding your answers?
Ask the Community