Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

SYN Defender (sim synatk, sim6 synatk, asg synatk)

A SYN flood attack occurs when a host, typically with a forged address, sends a flood of TCP/SYN packets. Each of these packets is handled as a connection request, which causes the server to create a "half-open connection". This occurs because the gateway sends a TCP/SYN-ACK (Acknowledge) packet, and waits for a response packet, which never arrives. These half-open connections eventually exceed the maximum available connections, which causes a denial of service condition. SYN defender protects the gateway by dropping excessive half-open connections.

You can use these commands to:

  • Configure a defense against an IPv4 SYN Flood attack. (sim synatk)
  • Configure a defense against an IPv6 SYN Flood attack. (sim6 synatk)
  • Monitor the system during attacks and normal system operation. (asg synatk)

This protection works with Performance Pack. SYN Defender disables templates, but does not turn off Performance Pack. This action can degrade Firewall performance.

Syntax

sim syntak [-e] [-d] [-m] [-g] [-t <threshold>] [-a] [monitor] [monitor -v]
sim6 syntak [-e] [-d] [-m] [-g] [-t <threshold>] [-a] [monitor] [monitor -v]
asg synatk [-b <sgm_ids>] [-4 | -6]

Parameter

Description

-e

Enable SYN defender. This make the system engage when it recognizes an attack on an external interface. External interfaces are defined in SmartDashboard. Internal interfaces are always in monitor mode.

-d

Disable SYN Defender.

-mSYN

Set monitor mode. SYN defender only sends a log when it recognizes an attack.

-g

Enforce on all interfaces.

-t <threshold>

Set the SYN Defender threshold number of half-opened connections.

-a

Use configuration from $PPKDIR/conf/synatk.conf

monitor

Show the attack monitoring tool.

monitor -v

Show the attack monitoring tool with extra (verbose) information.

-b <sgm_ids>

Show the status for specified SGMs and Chassis.

Works with SGMs and/or Chassis as specified by <sgm_ids>.

The <sgm_ids> can be:

  • No <sgm_ids> specified or all shows all SGMs and Chassis
  • One SGM
  • A comma-separated list of SGMs (1_1,1_4)
  • A range of SGMs (1_1-1_4)
  • One Chassis (Chassis1 or Chassis2)
  • The active Chassis (chassis_active)

 

-6

Shows the IPv6 status only.

-4

Shows the IPv4 status only.

Related Topics

Monitoring a Syn Attack - Standard Output

Monitoring a SYN Attack - Verbose Output

Showing Syn Defender Status

 
Top of Page ©2014 Check Point Software Technologies Ltd. All rights reserved. Download Complete PDF Send Feedback Print