Knowledge Search


[ScreenOS] What is a SYN Fragment Attack and how it can be prevented?

  [KB4720] Show Article Properties

A SYN fragment attack floods the target host with SYN packet fragments. The host catches the fragments, waiting for the remaining packets to arrive so it can reassemble them. By flooding a server or host with connections that cannot be completed, the host's memory buffer eventually fills. No further connections are possible, and damage to the host's operating system can occur.

The Internet Protocol (IP) encapsulates a Transmission Control Protocol (TCP) SYN segment in the IP packet that initiates a TCP connection. Because the purpose of this packet is to initiate a connection and invoke a SYN/ACK segment in response,the SYN segment typically does not contain any data. Because the IP packet is small, there is no legitimate reason for it to be fragmented. A fragmented SYN packet is anomalous, and as such suspect. To be cautious, block such unknown elements from entering your protected network.

For more details, refer to the following ScreenOS Concepts & Examples Guide - Attack Detection and Defense Mechanisms:
There is a ScreenOS Screening option called as "SYN Fragment Protection"  which provides protection against this anomaly.

 When you enable the SYN Fragment Detection SCREEN option, the security device detects packets when the IP header indicates that the packet has been fragmented
and the SYN flag is set in the TCP header. The security device records the event in the SCREEN counters list for the ingress interface.

To drop IP packets containing SYN fragments, do either of the following, where the specified security zone is the one from which the packets originate:

Screening > Screen (Zone: select a zone name): Select SYN Fragment
Protection, then click Apply.

set zone <zone-name> screen syn-frag

Related Links: