Accelerated SYN Defender
Introduction
A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive.
These half-open TCP connections eventually exceed the maximum available TCP connections. This causes a denial of service condition.
To protect a Security Group
A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected., the Check Point Accelerated SYN Defender prevents excessive TCP connections from being created.
The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and on computers behind the Security Group. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.
This is a sample TCP timeline diagram that shows a TCP connection through the Security Group with the enabled Accelerated SYN Defender:
Note - In this example, we assume that there no TCP retransmissions and no early data.
Security Group
Client with Accelerated Server
| SYN Defender |
| | |
| -(1)--SYN-------> | |
| <---SYN+ACK--(2)- | |
| -(3)--ACK-------> | |
| | |
| (4) |
| | |
| | -(5)--SYN-------> |
| | <---SYN+ACK--(6)- |
| | -(7)--ACK-------> |
| | |
|
-
A Client sends a TCP [SYN] packet to a Server.
-
The Accelerated SYN Defender replies to the Client with a TCP [SYN+ACK] packet that contains a special cookie in the
Seqfield.The Security Group does not maintain the connection state at this time.
-
The Client sends a reply TCP [ACK] packet. This completes the Client-side of the TCP connection.
-
The Accelerated SYN Defender checks if the SYN cookie in the Client's TCP [ACK] packet is legitimate.
-
If the SYN cookie in the Client's TCP [ACK] packet is legitimate, the Accelerated SYN Defender sends a TCP [SYN] packet to the Server to begin the Server-side of the TCP connection.
-
The Server replies with a TCP [SYN+ACK] packet.
-
The Accelerated SYN Defender sends a TCP [ACK] packet to complete the Server-size of the TCP 3-way handshake.
-
The Accelerated SYN Defender marks the TCP connection as established and records the TCP sequence adjustment between the two sides.
SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. handles the TCP [SYN] packets. The Security Group handles the rest of the TCP connection setup.
For each TCP connection the Accelerated SYN Defender establishes, the Security Group adjusts the TCP sequence number for the life of that TCP connection.
Command Line Interface
Use the fwaccel synatk commands to configure the Accelerated SYN Defender.
Configuring the 'SYN Attack' protection in SmartConsole
Configuring the 'SYN Attack' protection in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. is not supported for R80.20SP (Known Limitation MBS-5415).