Filter
Top Products
Firewall Settings > Flood Protection
737
SonicOS 5.8.1 Administrator Guide
–
Maximum value: 60 seconds
SYN Flood Protection Methods
SYN/RST/FIN Flood protection helps to protect hosts behind the SonicWALL from Denial of
Service (DoS) or Distributed DoS attacks that attempt to consume the host’s available
resources by creating one of the following attack mechanisms:
• Sending TCP SYN packets, RST packets, or FIN packets with invalid or spoofed IP
addresses.
• Creating excessive numbers of half-opened TCP connections.
The following sections detail some SYN Flood protection methods:
• “SYN Flood Protection Using Stateless Cookies” on page 737
• “Layer-Specific SYN Flood Protection Methods” on page 737
• “Understanding SYN Watchlists” on page 737
• “Understanding a TCP Handshake” on page 738
SYN Flood Protection Using Stateless Cookies
The method of SYN flood protection employed starting with SonicOS Enhanced uses stateless
SYN Cookies, which increase reliability of SYN Flood detection, and also improves overall
resource utilization on the SonicWALL. With stateless SYN Cookies, the SonicWALL does not
have to maintain state on half-opened connections. Instead, it uses a cryptographic calculation
(rather than randomness) to arrive at SEQr.
Layer-Specific SYN Flood Protection Methods
SonicOS Enhanced provides several protections against SYN Floods generated from two
different environments: trusted (internal) or untrusted (external) networks. Attacks from
untrusted WAN networks usually occur on one or more servers protected by the firewall.
Attacks from the trusted LAN networks occur as a result of a virus infection inside one or more
of the trusted networks, generating attacks on one or more local or remote hosts.
To provide a firewall defense to both attack scenarios, SonicOS Enhanced provides two
separate SYN Flood protection mechanisms on two different layers. Each gathers and displays
SYN Flood statistics and generates log messages for significant SYN Flood events.
• SYN Proxy (Layer 3) – This mechanism shields servers inside the trusted network from
WAN-based SYN flood attacks, using a SYN Proxy implementation to verify the WAN
clients before forwarding their connection requests to the protected server. You can enable
SYN Proxy only on WAN interfaces.
• SYN Blacklisting (Layer 2) – This mechanism blocks specific devices from generating or
forwarding SYN flood attacks. You can enable SYN Blacklisting on any interface.
Understanding SYN Watchlists
The internal architecture of both SYN Flood protection mechanisms is based on a single list of
Ethernet addresses that are the most active devices sending initial SYN packets to the firewall.
This list is called a SYN watchlist. Because this list contains Ethernet addresses, the device
tracks all SYN traffic based on the address of the device forwarding the SYN packet, without
considering the IP source or destination address.