Knowledge Search


×
 

[ScreenOS] What is a SYN Flood Attack and how can it be prevented?

  [KB4818] Show Article Properties


Summary:
This article provides information about the SYN Flood Attack and how it can be prevented.
Symptoms:
A SYN flood occurs when a host becomes so overwhelmed by SYN segments, which initiate incomplete connection requests, that it can no longer process legitimate connection requests. Two hosts establish a TCP connection with a triple exchange of packets, known as a three-way handshake; A sends a SYN segment to B, B responds with a SYN/ACK segment, and A responds with an ACK segment.

A SYN flood attack inundates a site with SYN segments that contain forged (spoofed) IP source addresses with non-existent or unreachable addresses. B responds with SYN/ACK segments to these addresses and then waits for responding ACK segments. As the SYN/ACK segments are sent to non-existent or unreachable IP addresses, they never elicit responses and eventually time out.

By flooding a host with incomplete TCP connections, the attacker eventually fills the memory buffer of the victim. When this buffer is full, the host can no longer process new TCP connection requests. The flood might even damage the victim’s operating system. Either way, the attack disables the victim and its normal operations.

For more information, refer to the ScreenOS Concepts & Examples Guide - Attack Detection and Defense Mechanisms, Release 6.3.0, Rev. 02.
Cause:

Solution:
ScreenOS devices provide a Screen Option, known as SYN Flood Protection, which impose a limit on the number of SYN segments that are permitted to pass through the firewall per second. You can base the attack threshold on the destination address and port, the destination address only, or the source address only. When the number of SYN segments per second exceeds one of these thresholds, the security device starts proxying incoming SYN segments, replying with SYN/ACK segments, and storing the incomplete connection requests in a connection queue. The incomplete connection requests remains in the queue, until the connection is completed or the request times out.

Now, in case the proxied connection queue has completely filled up and the security device starts rejecting new incoming SYN segments, this action shields the hosts on the protected network from the bombardment of incomplete three-way handshakes.

By default, the SYN Flood protection screen option is enabled on the Untrust zone. To enable the SYN Flood protection screen option and define its parameters, perform either of the following tasks, where the specified zone is in which a SYN flood might originate:


WebUI:

Go to Security >Screening > Screen (Zone: select a zone name), type the following information, and then click Apply:



Attack threshold: This threshold will be triggered, based on the destination IP address and Ingress Interface port (physical or logical port). Assume that the Attack threshold is 20; so, if there are 20 PPS to the same destination IP address and the same Ingress interface, only then will the attack threshold be triggered. However, if there are 20 PPS to the same destination, but distributed among multiple incoming interfaces, then the attack threshold will not be triggered.

Alarm Threshold: The number of proxied, half-completed connections per second, at which an alarm is entered in the Event Alarm log. The value that is set for an alarm threshold triggers an alarm, when the number of proxied, half-completed connections per second exceeds that value. For example, if the SYN threshold is set at 2000 SYN packets per second (PPS) and the alarm is set at 1000, then a total of 3001 SYN PPS are required to trigger an alarm entry in the log.

Destination Threshold
: This threshold will be based only on the Destination IP address. Assume that the Destination IP threshold is 20 and four interfaces and 5 connections are present through each interface (ingress) to this destination IP in a second (in all 20 PPS), it will trigger the destination threshold or it will also be triggered; even if 20 PPS are hitting just a single ingress interface.

Source Threshold: This threshold will be based only on the Source IP address. Assume that the Source IP threshold is 20 and four interfaces and 5 connections are present through each interface (ingress) from this Source IP address in a second (in all 20 PPS), it will trigger the Source threshold or it will also be triggered; even if 20 PPS are hitting just a single ingress interface.

Note: When all the three thresholds are configured and either the source or destination threshold is reached, the ScreenOS device drops the packet and does not proxy the incoming SYN packets. The ScreenOS device performs TCP Proxy, only when the attack-threshold is reached:

Timeout Value: The maximum time, before a half-completed connection is dropped from the queue. The range is 0–50 seconds; the default is 20 seconds.

Queue Size: The number of proxied connection requests that are held in the proxied connection queue, before the security device starts rejecting new connection requests.

Drop Unknown MAC (Transparent Mode Only): By default, a security device in Transparent mode that has detected a SYN attack passes SYN packets that contain unknown MAC addresses. Select this option to instruct the device to drop SYN packets that contain unknown destination MAC addresses, instead of letting them pass.


CLI:

To enable SYN Flood protection, use the following command:
set zone <Zone-name> screen syn-flood
You can set the following parameters to proxy the uncompleted TCP connection requests:

set zone trust screen syn-flood ?
<return>
alarm-threshold                       set SYN flood alarm threshold
attack-threshold                      set SYN flood protection threshold
destination-threshold              set SYN flood to the same destination threshold
queue-size                              set SYN flood queue size
source-threshold                     set SYN flood from the same source threshold
timeout                                    set SYN attack protection ager timeout
For more information about Syn Flood Protection, refer the following articles:

Related Links: