Accelerated SYN Defender

Introduction

A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive.

These half-open TCP connections eventually exceed the maximum available TCP connections. This causes a denial of service condition.

The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive TCP connections from being created.

The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

This is a sample TCP timeline diagram that shows a TCP connection through the Security Gateway with the enabled Accelerated SYN Defender:

Note - In this example, we assume that there no TCP retransmissions and no early data.

Security Gateway Client with Accelerated Server | SYN Defender | | | | | -(1)--SYN-------> | | | <---SYN+ACK--(2)- | | | -(3)--ACK-------> | | | | | | (4) | | | | | | -(5)--SYN-------> | | | <---SYN+ACK--(6)- | | | -(7)--ACK-------> | | | |

1. A Client sends a TCP [SYN] packet to a Server.
2. The Accelerated SYN Defender replies to the Client with a TCP [SYN+ACK] packet that contains a special cookie in the Seq field. Security Gateway does not maintain the connection state at this time.
3. The Client sends a reply TCP [ACK] packet. This completes the Client-side of the TCP connection.
4. The Accelerated SYN Defender checks if the SYN cookie in the Client's TCP [ACK] packet is legitimate.
5. If the SYN cookie in the Client's TCP [ACK] packet is legitimate, the Accelerated SYN Defender sends a TCP [SYN] packet to the Server to begin the Server-side of the TCP connection.
6. The Server replies with a TCP [SYN+ACK] packet.
7. The Accelerated SYN Defender sends a TCP [ACK] packet to complete the Server-size of the TCP 3-way handshake.
8. The Accelerated SYN Defender marks the TCP connection as established and records the TCP sequence adjustment between the two sides.

SecureXL handles the TCP [SYN] packets. The Host Security Gateway handles the rest of the TCP connection setup.

For each TCP connection the Accelerated SYN Defender establishes, the Security Gateway adjusts the TCP sequence number for the life of that TCP connection.

Command Line Interface

Use the commands below to configure the Accelerated SYN Defender:

'fwaccel synatk' and 'fwaccel6 synatk'

Configuring the 'SYN Attack' protection in SmartConsole

The 'SYN Attack' protection is intended for mitigating SYN Flood attacks:

1. In SmartConsole, from the left navigation panel, click Security Policies.
2. In the Shared Policies section, click Inspection Settings.
3. In the top field, search for SYN Attack.
4. Double-click on the SYN Attack protection.
5. Edit the applicable Inspection profile.
6. Configure the applicable settings in the profile:
   • On the General Properties page:

     If you select Override with Action and then Accept or Drop, it overrides the settings you make on the Security Gateway with the 'fwaccel synatk' and 'fwaccel6 synatk' commands.

   • On the Advanced page:

     The option you select in the Activation Settings (Protect all interfaces or Protect external interfaces only) overrides the settings you make on the Security Gateway with the 'fwaccel synatk' and 'fwaccel6 synatk' commands.

7. Install the Access Control Policy.

For more information about the 'SYN Attack' protection in SmartConsole, see sk120476.