The fortigate ips response to syn flood attacks, What is syn threshold, What is syn proxy – Fortinet Network Device IPS User Manual

FortiGate IPS User Guide Version 3.0 MR7

52

01-30007-0080-20080916

The FortiGate IPS Response to SYN flood attacks

SYN flood attacks

After the handshaking process is complete the connection is open and data
exchange can begin between the originator and the receiver, in this case the web
browser and the web server.

Between steps 2 and 3 however, the web server keeps a record of any incomplete
connections until it receives the ACK packet. A SYN flood attacker sends many
SYN packets but never replies with the final ACK packet.

Since most systems have only a limited amount of space for TCP/IP connection
records, a flood of incomplete connections will quickly block legitimate users from
accessing the server. Most TCP/IP implementations use a fairly long timeout
before incomplete connections are cleared from the connection table and traffic
caused by a SYN flood is much higher than normal network traffic.

The FortiGate IPS Response to SYN flood attacks

The FortiGate unit uses a defense method that combines the SYN Threshold and
SYN Proxy methods to prevent SYN flood attacks.

What is SYN threshold?

An IPS device establishes a limit on the number of incomplete TCP connections,
and discards SYN packets if the number of incomplete connections reaches the
limit.

What is SYN proxy?

An IPS proxy device synthesizes and sends the SYN/ACK packet back to the
originator, and waits for the final ACK packet. After the proxy device receives the
ACK packet from the originator, the IPS device then "replays" the three-step
sequence of establishing a TCP connection (SYN, SYN/ACK and ACK) to the
receiver.

How IPS works to prevent SYN floods

The FortiGate IPS uses a pseudo SYN proxy to prevent SYN flood attack. The
pseudo SYN proxy is an incomplete SYN proxy that reduces resource usage and
provides better performance than a full SYN proxy approach.

The IPS allows users to set a limit or threshold on the number of incomplete TCP
connections. The threshold can be set either from the CLI or the web-based
manager.

When the IPS detects that the total number of incomplete TCP connections to a
particular target exceeds the threshold, the pseudo SYN proxy is triggered to
operate for all subsequent TCP connections. The pseudo SYN proxy will
determine whether a new TCP connection is a legitimate request or another SYN
flood attack based on a “best-effect” algorithm. If a subsequent connection
attempt is detected to be a normal TCP connection, the IPS will allow a TCP
connection from the source to the target. If a subsequent TCP connection is
detected to be a new incomplete TCP connection request, one of the following
actions will be taken: Drop, Reset, Reset Client, Reset Server, Drop Session,
Pass Session, Clear Session, depending upon the user configuration for SYN
Flood anomaly in the IPS.