Accelerated SYN Defender

Introduction

A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive.

These half-open TCP connections eventually exceed the maximum available TCP connections. This causes a denial of service condition.

To protect a Security Group, the Check Point Accelerated SYN Defender prevents excessive TCP connections from being created.

The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Group. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

This is a sample TCP timeline diagram that shows a TCP connection through the Security Group with the enabled Accelerated SYN Defender:

Note - In this example, we assume that there no TCP retransmissions and no early data.

               Security Group
Client         with Accelerated         Server
   |             SYN Defender              |
   |                   |                   |
   | -(1)--SYN-------> |                   |
   | <---SYN+ACK--(2)- |                   |
   | -(3)--ACK-------> |                   |
   |                   |                   |
   |                  (4)                  |
   |                   |                   |
   |                   | -(5)--SYN-------> |
   |                   | <---SYN+ACK--(6)- |
   |                   | -(7)--ACK-------> |
   |                   |                   |

  1. A Client sends a TCP [SYN] packet to a Server.

  2. The Accelerated SYN Defender replies to the Client with a TCP [SYN+ACK] packet that contains a special cookie in the Seq field.

    The Security Group does not maintain the connection state at this time.

  3. The Client sends a reply TCP [ACK] packet. This completes the Client-side of the TCP connection.

  4. The Accelerated SYN Defender checks if the SYN cookie in the Client's TCP [ACK] packet is legitimate.

  5. If the SYN cookie in the Client's TCP [ACK] packet is legitimate, the Accelerated SYN Defender sends a TCP [SYN] packet to the Server to begin the Server-side of the TCP connection.

  6. The Server replies with a TCP [SYN+ACK] packet.

  7. The Accelerated SYN Defender sends a TCP [ACK] packet to complete the Server-size of the TCP 3-way handshake.

  8. The Accelerated SYN Defender marks the TCP connection as established and records the TCP sequence adjustment between the two sides.

SecureXL handles the TCP [SYN] packets. The Security Group handles the rest of the TCP connection setup.

For each TCP connection the Accelerated SYN Defender establishes, the Security Group adjusts the TCP sequence number for the life of that TCP connection.

Command Line Interface

Use the fwaccel synatk commands to configure the Accelerated SYN Defender.

Configuring the 'SYN Attack' protection in SmartConsole

Configuring the 'SYN Attack' protection in SmartConsole is not supported for R80.20SP (Known Limitation MBS-5415).