Accelerated SYN Defender

Introduction

A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive.

These half-open TCP connections eventually exceed the maximum available TCP connections. This causes a denial of service condition.

The Check Point Accelerated SYN Defender protects the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (Scalable Platform Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.) by preventing excessive TCP connections from being created.

The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway (Scalable Platform Security Group). The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

This is a sample TCP timeline diagram that shows a TCP connection through the Security Gateway (Scalable Platform Security Group) with the enabled Accelerated SYN Defender:

Note - In this example, we assume that there no TCP retransmissions and no early data.

              Security Gateway
Client         with Accelerated         Server
   |             SYN Defender              |
   |                   |                   |
   | -(1)--SYN-------> |                   |
   | <---SYN+ACK--(2)- |                   |
   | -(3)--ACK-------> |                   |
   |                   |                   |
   |                  (4)                  |
   |                   |                   |
   |                   | -(5)--SYN-------> |
   |                   | <---SYN+ACK--(6)- |
   |                   | -(7)--ACK-------> |
   |                   |                   |

A Client sends a TCP [SYN] packet to a Server.
The Accelerated SYN Defender replies to the Client with a TCP [SYN+ACK] packet that contains a special cookie in the Seq field.

The Security Gateway (Scalable Platform Security Group) does not maintain the connection state at this time.
The Client sends a reply TCP [ACK] packet. This completes the Client-side of the TCP connection.
The Accelerated SYN Defender checks if the SYN cookie in the Client's TCP [ACK] packet is legitimate.
If the SYN cookie in the Client's TCP [ACK] packet is legitimate, the Accelerated SYN Defender sends a TCP [SYN] packet to the Server to begin the Server-side of the TCP connection.
The Server replies with a TCP [SYN+ACK] packet.
The Accelerated SYN Defender sends a TCP [ACK] packet to complete the Server-size of the TCP 3-way handshake.
The Accelerated SYN Defender marks the TCP connection as established and records the TCP sequence adjustment between the two sides.

SecureXL Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. handles the TCP [SYN] packets. The Security Gateway (Scalable Platform Security Group) handles the rest of the TCP connection setup.

For each TCP connection the Accelerated SYN Defender establishes, the Security Gateway (Scalable Platform Security Group) adjusts the TCP sequence number for the life of that TCP connection.

Command Line Interface

Use the fwaccel synatk commands to configure the Accelerated SYN Defender.

Configuring the IPS 'SYN Attack' protection in SmartConsole

Important - Scalable Platform Security Group does not support the configuration of the IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). 'SYN Attack' protection in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.(Known Limitation MBS-5415).

The IPS 'SYN Attack' protection is intended to mitigate SYN Flood attacks.

Step	Instructions
1	Connect with SmartConsole to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
2	From the left navigation panel, click Security Policies.
3	In the Shared Policies section, click Inspection Settings.
4	In the top field, search for SYN Attack.
5	Double-click on the SYN Attack protection.
6	Edit the applicable Inspection profile.
7	Configure the applicable settings in the profile: On the General Properties page: If you select Override with Action and then Accept or Drop, it overrides the settings you make on the Security Gateway with the fwaccel synatk commands. On the Advanced page: The option you select in the Activation Settings (Protect all interfaces or Protect external interfaces only) overrides the settings you make on the Security Gateway with the fwaccel synatk commands.
9	Install the Access Control Policy.

For more information about the SYN Attack protection in SmartConsole, see sk120476.