Outdated hosts not closing connections causing High CPU Usage - RST, SYN, FIN Floods
10/14/2021 740 25103
After upgrading to SonicOS 188.8.131.52 (or above) on the 5th Gen devices and 184.108.40.206 (or above) on 6th Gen devices, the SonicWall appliance may show High CPU Utilization associated with RST or SYN or FIN Flood events from multiple internal sources and external destinations.
NOTE: This option has been disabled by default on latest SonicOS such as 220.127.116.11 and 18.104.22.168 - however if you apply a firmware upgrade without factory default, the option will remain enabled.
When the SonicWall receives an invalid RST packet, it either:
- Forwards this packet to the required destination and closes the connection. Subsequent packet received on this connection would be dropped with a "Connection Cache Add Failed" drop code.
- Drops the packet with "invalid TCP Flag" drop code.
However, in firmware version 22.214.171.124 and above, the firewall sends challenge ACKs to the clients on receiving invalid RST packets. The clients respond to this with more RST packets. This causes RST floods on the firewall (appears to be generated from the devices in the LAN zone, or coming in from the WAN zone). The continuous generation of ACKs by the firewall results in high CPU utilization.
This issue can be caused due to clients or servers being non-compliant with RFC 5961 (protects against vulnerability CVE-2004-0230), which pertains to attackers exploiting long-lived TCP Connections (like BGP) and creating DoS attacks by generating SYN packet, or RST packet, or sending data to start an ACK war.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
On latest firmware versions ( 6.2.x.x and above ), the option "Enforce strict TCP compliance with RFC 5961" has been moved in the diag page of the firewall accessible replacing the word "main" with "diag" in the URL of the firewall's page.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
There are two ways to resolve this issue:
- Update the systems that are not compliant to RFC 5961.
- Disable the RFC strict compliance within the SonicWall (available on 126.96.36.199 and above).
To resolve this issue, please upgrade at least to SonicOS 188.8.131.52 or 184.108.40.206 (or later versions).
You can then to disable RFC Strict Compliance as a workaround for environments with legacy clients or servers that do not comply with RFC 5961.
After upgrading to the versions above, follow these steps:
- Go to Firewall Settings | Flood Protection
- Disable the "Enforce Strict Compliance with RFC 5961".