6.5.4 Ensure TCP SYN/FIN is Set to Drop

Information

TCP Segments which have both the SYN and FIN flags set should be dropped.

Rationale:

TCP packets that have both SYN and FIN flags set are sometimes used by attackers to bypass Intrusion Detection Systems and Firewalls or to directly attack hosts on the target network. If patches are up-to-date then most systems are no longer vulnerable to this technique; however, there is no valid reason for a packet to contain both SYN and FIN flags, so such traffic is almost certainly malicious or the result of an error and should never be processed.

Impact:

There is no valid reason for a TCP Segment to have both SYN and FIN flags set.

Solution

Configure the router to drop TCP Segments containing both SYN and FIN flags by issuing the following command from the [edit system internet-options] hierarchy.

[edit system internet-options]
user@host#set tcp-drop-synfin-set

Default Value:

By default JUNOS does not drop TCP packets with both TCP SYN and FIN flags set.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|11

Plugin: Juniper

Control ID: 30a0f592edec8cc93638cdb13136c1e2235cdf84aea7dbb3ba7b74a12380abf4