Syn flood attacks, What is a syn flood attack, How syn floods work – Fortinet Network Device IPS User Manual
Page 51
SYN flood attacks
What is a SYN flood attack?
FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916
51
SYN flood attacks
This section describes:
•
•
•
The FortiGate IPS Response to SYN flood attacks
•
Configuring SYN flood protection
•
Suggested settings for different network conditions
What is a SYN flood attack?
A SYN flood is a type of Denial of Service (DoS) attack. DoS is a class of attacks
in which an attacker attempts to prevent legitimate users from accessing an
internet service, for example, a web server. Using SYN floods, an attacker
attempts to disable an Internet service by flooding a server with TCP/IP
connection requests which consume all the available slots in the server’s TCP
connection table. When the connection table is full, it is not possible to establish
any new connections, and the web site on the server becomes inaccessible.
This section provides information about SYN flood attacks and the FortiGate IPS
methods of preventing such attacks.
How SYN floods work
SYN floods work by exploiting the structure of the TCP/IP protocol. An attacker
floods a server with connection attempts but never acknowledges the server’s
replies to open the TCP/IP connection.
The TCP/IP protocol uses a three-step process to establish a network connection.
Figure 15: Establishing a TCP/IP connection
1
The originator of the connection sends a SYN packet (a packet with the SYN flag
set in the TCP header) to initiate the connection.
2
The receiver sends a SYN/ACK packet (a packet with the SYN and ACK flags set
in the TCP header) back to the originator to acknowledge the connection attempt.
3
The originator then sends an ACK packet (a packet with the ACK flag set in the
TCP header) back to the receiver to open the connection.