. . .
Protected LAN
The security device rejects new SYN segments from all addresses in the same security zone.
SYN
The memory buffer in the victim returns to normal.
Host at 2.2.2.5 continues sending SYN segments in IP packets with the spoofed source address 3.3.3.5.
The security device intercepts the SYN segments and proxies the SYN/ACK responses until the proxied connection queue fills up.
The security device enters an alarm in the event log.
SYN segment from a different address in the same security zone.
SYN
— Maximum Limit of the Proxied Connection Queue —
— Alarm Threshold —
— SYN Attack Threshold — Security Device
The security device starts receiving new SYN packets when the proxy queue drops below the maximum limit.
NOTE: The procedure of proxying incomplete SYN connections above a set threshold pertains only to traffic permitted by existing policies. Any traffic for which a policy does not exist is automatically dropped.
By default, the SYN Flood protection SCREEN option is enabled on the Untrust zone. To enable the SYN Flood protection SCREEN option and define its parameters, do either of the following, where the specified zone is that in which a SYN flood might originate:
WebUI
Screening > Screen (Zone: select a zone name): Enter the following, then click Apply:
SYN Flood Protection: (select to enable)
Threshold: (enter the number of SYN packets–that is, TCP segments with the SYN flag set–per second required to activate the SYN proxying mechanism)
Alarm Threshold: (enter the number of proxied TCP connection requests required to write an alarm in the event log)
Source Threshold: (enter the number of SYN packets per second from a single IP address
Timeout Value: (enter the length of time in seconds that the security device holds an incomplete TCP connection attempt in the proxied connection queue)
Queue Size: (enter the number of proxied TCP connection requests held in the proxied connection queue before the security device starts rejecting new connection requests)
NOTE: For more details about each of these parameters, see the descriptions in the following CLI section.
CLI
To enable SYN Flood protection:
set zone zone screen syn-flood
You can set the following parameters for proxying uncompleted TCP connection requests:
• Attack Threshold: The attack threshold is triggered based on the number of requests to the same destination IP address and ingress interface port (physical or logical port like a subinterface) per second that are required to activate the SYN proxying mechanism.
NOTE: Threshold is not triggered based on Transport Layer ports (TCP ports or UDP ports).
Suppose the attack threshold is 20 pps to the same destination IP address and ingress interface. If there are 20 pps to the same destination IP address but to distributed incoming interfaces, then the attack threshold is not triggered.
set zone zone screen syn-flood attack-threshold number
• Alarm Threshold: The value you set for an alarm threshold triggers an alarm when the number of proxies, half-completed connection requests to the same destination address and ingress interface port (physical port or logical port like subinterface) per second exceeds that value. For example, if you set the SYN attack threshold at 2000 SYN segments per second and the alarm at 1000, then a total of 3001 SYN segments to the same destination IP address and ingress interface port (physical port or logical port like a subinterface) per second is required to trigger an alarm entry in the log.
For each SYN segment to the same destination address and ingress interface port (physical port or logical port like a subinterface) in excess of the alarm threshold, the attack detection module generates a message. At the end of one second, the logging module compresses all similar messages into a single log entry that indicates how many SYN segments to the same destination address and ingress interface port (physical port or logical port like a subinterface) arrived after exceeding the alarm threshold. If the attack persists beyond the first second, the event log enters an alarm every second until the attack stops.
• Source Threshold: This option allows you to specify the number of SYN segments received per second from a single source IP address—regardless of the destination IP address and ingress interface port (physical port or logical port like a sub
Chapter 3: Denial of Service Attack Defenses
interface)—before the security device begins dropping connection requests from that source.
Tracking a SYN flood by source IP address uses different detection parameters from tracking a SYN flood by destination IP address and ingress interface port (physical port or logical port like sub interface). When you set a SYN attack threshold and a source threshold, you put both the basic SYN flood protection mechanism and the
source-based SYN flood tracking mechanism in effect.
set zone zone screen syn-flood source-threshold number
• Destination Threshold: This option allows you to specify the number of SYN segments received per second for a single destination IP address before the security device begins dropping connection requests to that destination. If a protected host can be reached through multiple ingress interfaces, you might want to set a threshold based on destination IP address only—regardless of the ingress interface.
set zone zone screen syn-flood destination-threshold number
Tracking a SYN flood by destination IP address uses different detection parameters from tracking a SYN flood (attack threshold), where destination address plus ingress interface port (physical port or logical port like a subinterface) is used. Consider the following case, where the SYN flood attack threshold is 20, and Interface 1 as well as Interface 2 are the ingress interfaces to reach the same server. An attacker sends 19 pps to Interface 1 and 19 pps to Interface 2; neither set of packets (where a set is defined as having the same destination IP address and same the ingress interface) activates the SYN proxying mechanism. The basic SYN flood attack mechanism (attack threshold) tracks the destination IP address and ingress interface (physical or logical like a subinterface), and neither set exceeds the attack threshold of 20 pps. However, if the destination threshold is 20 pps, the device treats traffic with the same destination IP address to both the ingress interfaces as members of a single set and rejects the 21st packet—on ingress Interface 1 or ingress interface 2 to that destination.
• Timeout: The maximum length of time before a half-completed connection is dropped from the queue. The default is 20 seconds, and you can set the timeout from 0–50 seconds. You might try decreasing the timeout value to a shorter length until you begin to see any dropped connections during normal traffic conditions. Twenty seconds is a very conservative timeout for a three-way handshake ACK response.
set zone zone screen syn-flood timeout number
• Queue size: The number of proxied connection requests held in the proxied connection queue before the security device starts rejecting new connection requests. The longer the queue size, the longer the device needs to scan the queue to match a valid ACK response to a proxied connection request. This can slightly slow the initial connection establishment; however, because the time to begin data transfer is normally far greater than any minor delays in initial connection setup, users would not see a noticeable difference.
set zone zone screen syn-flood queue-size number
packets containing unknown MAC addresses. You can use this option to instruct the device to drop SYN packets containing unknown destination MAC addresses instead of letting them pass.
set zone zone screen syn-flood drop-unknown-mac
Example: SYN Flood Protection
In this example, you protect four Web servers in the DMZ zone from SYN flood attacks originating in the Untrust zone by enabling the SYN flood protection SCREEN option for the Untrust zone.
NOTE: We recommend that you augment the SYN flood protection that the security device provides with device-level SYN flood protection on each of the Web servers. In this example, the Web servers are running UNIX, which also provides some SYN flood defenses, such as adjusting the length of the connection request queue and changing the timeout period for incomplete connection requests.