Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

SYN Defender (sim synatk, sim6 synatk, asg synatk)

A SYN flood attack occurs when a host, typically with a forged address, sends a flood of TCP/SYN packets. Each of these packets is handled as a connection request, which causes the server to create a "half-open connection". This occurs because the gateway sends a TCP/SYN-ACK (Acknowledge) packet, and waits for a response packet, which does not arrive. These half-open connections eventually exceed the maximum available connections, which causes a denial of service condition. SYN defender protects the gateway by dropping excessive half-open connections.

You can use these commands to:

  • Configure a defense against an IPv4 SYN Flood attack (sim synatk).
  • Configure a defense against an IPv6 SYN Flood attack (sim6 synatk).
  • Monitor the system during attacks and normal system operation (asg synatk).

This protection works with Performance Pack.

Syntax 

> sim synatk [-e] [-d] [-m] [-g] [-t <threshold>] [-a] [monitor] [monitor -v]
> sim6 synatk [-e] [-d] [-m] [-g] [-t <threshold>] [-a] [monitor] [monitor -v]
> asg synatk [-b <sgm_ids>] [-4 | -6]
> sim6 synatk -a

Parameter

Description

-e

Enable SYN defender. This make the system engage when it recognizes an attack on an external interface. External interfaces are defined in SmartDashboard. Internal interfaces are always in monitor mode.

-d

Disable SYN Defender.

-m

Set monitor mode. SYN defender only sends a log when it recognizes an attack.

-g

Enforce on all interfaces.

-t <threshold>

Set the SYN Defender threshold number of half-opened connections.

-a

Use configuration from: $PPKDIR/conf/synatk.conf

monitor

Show the attack monitoring tool.

monitor -v

Show the attack monitoring tool with extra (verbose) information.

-b <sgm_ids>

Show the status for specified SGMs and Chassis.

Works with SGMs and/or Chassis as specified by <sgm_ids>.

<sgm_ids> can be:

  • No <sgm_ids> specified or all shows all SGMs and Chassis
  • One SGM
  • A comma-separated list of SGMs (1_1,1_4)
  • A range of SGMs (1_1-1_4)
  • One Chassis (Chassis1 or Chassis2)
  • The active Chassis (chassis_active)

 

-6

Shows the IPv6 status only.

-4

Shows the IPv4 status only.

Related Topics

SYN Defender Configuration File

Monitoring a Syn Attack - Standard Output

Monitoring a SYN Attack - Verbose Output

Showing Syn Defender Status
 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print