Accelerated SYN Defender

Introduction

A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive.

These half-open TCP connections eventually exceed the maximum available TCP connections. This causes a denial of service condition.

The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive TCP connections from being created.

The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

This is a sample TCP timeline diagram that shows a TCP connection through the Security Gateway with the enabled Accelerated SYN Defender:

Note - In this example, we assume that there no TCP retransmissions and no early data.

Security Gateway Client with Accelerated Server | SYN Defender | | | | | -(1)--SYN-------> | | | <---SYN+ACK--(2)- | | | -(3)--ACK-------> | | | | | | (4) | | | | | | -(5)--SYN-------> | | | <---SYN+ACK--(6)- | | | -(7)--ACK-------> | | | |

1. A Client sends a TCP [SYN] packet to a Server.
2. The Accelerated SYN Defender replies to the Client with a TCP [SYN+ACK] packet that contains a special cookie in the Seq field. Security Gateway does not maintain the connection state at this time.
3. The Client sends a reply TCP [ACK] packet. This completes the Client-side of the TCP connection.
4. The Accelerated SYN Defender checks if the SYN cookie in the Client's TCP [ACK] packet is legitimate.
5. If the SYN cookie in the Client's TCP [ACK] packet is legitimate, the Accelerated SYN Defender sends a TCP [SYN] packet to the Server to begin the Server-side of the TCP connection.
6. The Server replies with a TCP [SYN+ACK] packet.
7. The Accelerated SYN Defender sends a TCP [ACK] packet to complete the Server-size of the TCP 3-way handshake.
8. The Accelerated SYN Defender marks the TCP connection as established and records the TCP sequence adjustment between the two sides.

SecureXL handles the TCP [SYN] packets. The Host Security Gateway handles the rest of the TCP connection setup.

For each TCP connection the Accelerated SYN Defender establishes, the Security Gateway adjusts the TCP sequence number for the life of that TCP connection.

Command Line Interface

Use the commands below to configure the Accelerated SYN Defender:

'g_fwaccel synatk' and 'g_fwaccel6 synatk'

Configuring the 'SYN Attack' protection in SmartConsole

Configuring the 'SYN Attack' protection in SmartConsole is not supported for R80.30SP (MBS-5415).