Filter
Top Products
Firewall Settings > Flood Protection
739
SonicOS 5.8.1 Administrator Guide
A SYN Flood Protection mode is the level of protection that you can select to defend against
half-opened TCP sessions and high-frequency SYN packet transmissions. This feature enables
you to set three different levels of SYN Flood Protection:
• Watch and Report Possible SYN Floods – This option enables the device to monitor SYN
traffic on all interfaces on the device and to log suspected SYN flood activity that exceeds
a packet count threshold. The feature does not turn on the SYN Proxy on the device so the
device forwards the TCP three-way handshake without modification. This is the least
invasive level of SYN Flood protection. Select this option if your network is not in a high risk
environment.
• Proxy WAN Client Connections When Attack is Suspected – This option enables the
device to enable the SYN Proxy feature on WAN interfaces when the number of incomplete
connection attempts per second surpasses a specified threshold. This method ensures the
device continues to process valid traffic during the attack and that performance does not
degrade. Proxy mode remains enabled until all WAN SYN flood attacks stop occurring or
until the device blacklists all of them using the SYN Blacklisting feature. This is the
intermediate level of SYN Flood protection. Select this option if your network experiences
SYN Flood attacks from internal or external sources.
• Always Proxy WAN Client Connections – This option sets the device to always use SYN
Proxy. This method blocks all spoofed SYN packets from passing through the device. Note
that this is an extreme security measure and directs the device to respond to port scans on
all TCP ports because the SYN Proxy feature forces the device to respond to all TCP SYN
connection attempts. This can degrade performance and can generate a false positive.
Select this option only if your network is in a high risk environment.
Configuring SYN Attack Threshold
The SYN Attack Threshold configuration options provide limits for SYN Flood activity before the
device drops packets. The device gathers statistics on WAN TCP connections, keeping track
of the maximum and average maximum and incomplete WAN connections per second. Out of
these statistics, the device suggests a value for the SYN flood threshold. Note the two options
in the section:
Suggested value calculated from gathered statistics – The suggested attack threshold
based on WAN TCP connection statistics.
Attack Threshold (Incomplete Connection Attempts/Second) – Enables you to set the
threshold for the number of incomplete connection attempts per second before the device drops
packets at any value between 5 and 999,999.
Configuring SYN Proxy Options
When the device applies a SYN Proxy to a TCP connection, it responds to the initial SYN packet
with a manufactured SYN/ACK reply, waiting for the ACK in response before forwarding the
connection request to the server. Devices attacking with SYN Flood packets do not respond to
the SYN/ACK reply. The firewall identifies them by their lack of this type of response and blocks
their spoofed connection attempts. SYN Proxy forces the firewall to manufacture a SYN/ACK
response without knowing how the server will respond to the TCP options normally provided on
SYN/ACK packets.
To provide more control over the options sent to WAN clients when in SYN Proxy mode, you
can configure the following two objects: