Layer 3 SYN Flood Protection - SYN Proxy

A SYN Flood Protection mode is the level of protection that you can select to defend against half-opened TCP sessions and high-frequency SYN packet transmissions. This feature enables you to set three different levels of SYN Flood Protection.

To configure the Layer 3 SYN Flood Protection - SYN Proxy

1. Navigate to OBJECT | Action Profiles > DoS Action Profile.

2. Do one of the following:

   • Add a new DoS Action Profile.

     1. Click the Add icon.
     2. Enter a friendly DoS Rule Action Name.

   • Edit an existing DoS Action Profile.

     Hover over an existing DoS Action Profile and click the Edit icon.

   By the default, the Add DoS Action Profile page opens with the Flood Protection > Layer 3 SYN Flood Protection - SYN Proxy option.

   

3. Enable Syn Flood Protection to enable a SYN Flood Protection mode.

4. Select the protection mode from the SYN Flood Protection Mode drop-down menu.

   Watch and Report Possible SYN Floods	To monitor SYN traffic on all interfaces and logs suspected SYN flood activity that exceeds a packet-count threshold. This option does not actually turn on the SYN Proxy on the device, so the device forwards the TCP three‐way handshake without modification.   This is the least invasive level of SYN flood protection. Select this option if your network is not in a high‐risk environment. When this protection mode is selected, the SYN-Proxy options do not apply.
   Proxy WAN Client Connections When Attack is Suspected	To enable the SYN Proxy feature on WAN interfaces when the number of incomplete connection attempts per second exceeds a specified threshold. This method ensures that the device continuous to process valid traffic during the attack, and make sure that performance does not degrade. Proxy mode remains enabled until all WAN SYN flood attacks stop occurring or until the device blacklists all of them using the SYN Blacklisting feature.   This is the intermediate level of SYN Flood protection. Select this option if your network sometimes experiences SYN Flood attacks from internal or external sources.
   Always Proxy WAN Client Connections	To set the device to always use SYN Proxy.   This method blocks all spoofed SYN packets from passing through the device. This is an extreme security measure, which directs the device to respond to port scans on all TCP ports. The SYN Proxy feature forces the device to respond to all TCP SYN connection attempts, which can degrade performance and generate false positive results. Select this option only if your network is in a high‐risk environment.

5. Modify the Attack threshold (incomplete connection attempts / second) value if required.

6. Set the SYN-PROXY OPTIONS.

   For SYN Proxy Options, if one of the higher levels of SYN Protection is selected, SYN‐Proxy options can be selected to provide more control over what is sent to WAN clients when in SYN Proxy mode. When the device applies a SYN Proxy to a TCP connection, it responds to the initial SYN packet with a manufactured SYN/ACK reply, waiting for the ACK in response before forwarding the connection request to the server. Devices attacking with SYN Flood packets do not respond to the SYN/ACK reply. The firewall identifies them by their lack of this type of response and blocks their spoofed connection attempts. SYN Proxy forces the firewall to manufacture a SYN/ACK response without knowing how the server responds to the TCP options normally provided on SYN/ACK packets.

   All LAN/DMZ servers support the TCP SACK	To enable SACK (Selective Acknowledgment), so that when a packet is dropped, the receiving device indicates which packets it received. Enable this option only when all servers covered by the firewall that are accessed from the WAN support the SACK option.
   Limit MSS sent to WAN clients (when connections are proxied	To enable Maximum TCP MSS sent to WAN clients option.
   Maximum TCP MSS sent to WAN clients	To enter the maximum MSS (Minimum Segment Size) value. The default is 1460, the minimum value is 32, and the maximum is 1460. This sets the threshold for the size of TCP segments, preventing a segment that is too large from being sent to the targeted server. For example, if the server is an IPsec gateway, it might need to limit the MSS it receives to provide space for IPsec headers when tunneling traffic. The firewall cannot predict the MSS value sent to the server when it responds to the SYN manufactured packet during the proxy sequence. Being able to control the size of a segment makes it possible to control the manufactured MSS value sent to WAN clients. If you specify an override value for the default of 1460, only a segment of the same size or smaller is sent to the client in the SYN/ACK cookie. Setting this value too low can decrease performance when the SYN Proxy is always enabled. Setting this value too high can break connections if the server responds with a smaller MSS value.
   Always log SYN packets received	To log all SYN packets received. This option is only available with higher levels of SYN protection. When using Proxy WAN client connections, remember to set these options conservatively as they only affect connections when a SYN Flood takes place. This ensures that legitimate connections can continue during an attack.

7. Click Save.
8. Click Cancel to go back to the DoS Action Profile page or proceed with other configurations.