A SYN Flood attack is a type of Denial of Service (DoS) attack that seeks to prevent your public services (such as email and Web servers) from being accessible to users on the Internet.
To understand how SYN Flood works, consider a normal TCP connection. A user tries to connect by way of a Web browser to your server by sending what is called a SYN segment. Your Web server acknowledges the browser by sending what is called a SYN+ACK segment. When the browser sees the SYN+ACK, it sends an ACK segment. The server is ready to accept the URL request from the browser when it sees the ACK statement. However, until the ACK segment has been received, the server is "stuck"; it knows the browser wants to communicate, but the connection is not yet established. Many servers in use today can handle only a finite number of these half-way completed connections at a time. They are stored in a backlog until they are completed or time out. When the server's backlog is full, no new connections can be accepted.
A SYN Flood attack attempts to fill up the victim server's backlog by sending a flood of SYN segments without ever sending an ACK. When the backlog fills up, the server will be unavailable to users.
The WatchGuard Firebox System can help defend your servers against a SYN Flood attack by tracking the number of SYNs that are sent without a following ACK. If this number exceeds the threshold you define, the SYN Flood protection feature will self-activate. Once active, further connection attempts from the external side of the Firebox must be verified before being allowed to reach your servers. Connections that cannot be verified are not allowed through, thus protecting your server from having a full backlog.
The SYN Flood protection feature will self-deactivate when it senses the attack is over.
From Policy Manager:
Related topics:
Blocking port space and address space attacks
Copyright
© 1996 - 2003 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use