Active SYN flood defenses can occasionally prevent legitimate connection attempts from being completed. If you find that too many legitimate connection attempts fail when your SYN flood defense is active, you can change SYN flood settings to minimize this problem.
You can set the maximum number of incomplete TCP connections the Firebox allows before the SYN flood defense is activated. The default setting of 60 means that when the number of TCP connections waiting to be validated climbs to 61 or above, SYN flood defense is activated. Conversely, when the number of connections waiting for validation drops to 59 or less, SYN flood defense is deactivated. You might need to adjust this setting to custom-fit the SYN Flood protection feature for your network. Every time the feature self-activates, a log message will be recorded stating SYN Validation: activated. When the feature self-deactivates, the log message SYN Validation: deactivated will be recorded. If these messages occur frequently when your server is not under attack, the Maximum Incomplete Connections setting may be too low. If the SYN Flood protection feature is not preventing attacks from affecting your server, the setting may be too high. Consult your server's documentation for help choosing a new value, or experiment by adjusting the setting until the problems disappear.
The validation timeout controls how long the Firebox "remembers" clients that pass the validation test. The default setting of 120 seconds means that a client that drops a legitimate connection has a two-minute window to reconnect without being challenged. Setting the validation timeout to zero seconds means that legitimate connections are "forgotten" when dropped, so every connection attempt is challenged.
From Policy Manager:
Related topics:
Blocking port space and address space attacks
Copyright
© 1996 - 2003 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use