Outdated hosts not closing connections causing High CPU Usage - RST, SYN, FIN Floods
06/26/2023 757 People found this article helpful 497,861 Views
Description
After upgrading to SonicOS 5.9.1.6 (or above) on the 5th Gen devices, 6.2.5.3 (or above) on 6th Gen devices and Sonic OS 7.0.1(or above) on Gen 7 devices, , the SonicWall appliance may show High CPU Utilization associated with RST or SYN or FIN Flood events from multiple internal sources and external destinations.
NOTE: This option has been disabled by default on latest SonicOS such as 5.9.1.13, 6.5.4.4 and 7.0.1 - however if you apply a firmware upgrade without factory default, the option will remain enabled.
Cause
When the SonicWall receives an invalid RST packet, it either:
- Forwards this packet to the required destination and closes the connection. Subsequent packet received on this connection would be dropped with a "Connection Cache Add Failed" drop code.
OR - Drops the packet with "invalid TCP Flag" drop code.
However, in firmware version 5.9.1.6 and above, the firewall sends challenge ACKs to the clients on receiving invalid RST packets. The clients respond to this with more RST packets. This causes RST floods on the firewall (appears to be generated from the devices in the LAN zone, or coming in from the WAN zone). The continuous generation of ACKs by the firewall results in high CPU utilization.
This issue can be caused due to clients or servers being non-compliant with RFC 5961 (protects against vulnerability CVE-2004-0230), which pertains to attackers exploiting long-lived TCP Connections (like BGP) and creating DoS attacks by generating SYN packet, or RST packet, or sending data to start an ACK war.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
On latest firmware versions ( 7.0.1 and above ), the option "Enforce strict TCP compliance with RFC 5961" has been moved in the diag page of the firewall. The Diag page can be reached by typing in the LAN IP of the SonicWall in the browser, with a IP/sonicui/7/m/mgmt/settings/diag at the end.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
On latest firmware versions ( 6.2.x.x and above ), the option "Enforce strict TCP compliance with RFC 5961" has been moved in the diag page of the firewall accessible replacing the word "main" with "diag" in the URL of the firewall's page.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
There are two ways to resolve this issue:
- Update the systems that are not compliant to RFC 5961.
- Disable the RFC strict compliance within the SonicWall (available on 5.9.1.7 and above).
To resolve this issue, please upgrade at least to SonicOS 5.9.1.7 or 6.2.5.3 (or later versions).
You can then to disable RFC Strict Compliance as a workaround for environments with legacy clients or servers that do not comply with RFC 5961.
After upgrading to the versions above, follow these steps:
- Go to Firewall Settings | Flood Protection
- Disable the "Enforce Strict Compliance with RFC 5961".
Related Articles
Categories