Stopping SYN Flood Attacks

A SYN Flood attack is a type of Denial of Service (DoS) attack. This attack tries to prevent access to your public services (e.g. e-mail, Web servers) by unauthorized users. The SYN Flood attack uses a part of the usual TCP connection procedure to attack. The usual TCP procedure is as follows:

 

• A user tries to connect to your server using their Web browser. To do this, the browser sends a SYN segment.
 

• Your Web server sends a SYN+ACK segment.
 

• The browser then sends an ACK segment.
 

• When the server sees the ACK segment, it can accept the URL from the browser.

Until the server receives the ACK segment, the server is "stuck". Many servers can accept only a specified number of open connections at a time. The server keeps them in a backlog until they are completed or time-out. A SYN Flood attack tries to fill up the backlog of the server. It sends many SYN segments and no ACK. When the backlog is full, the server is not available to the users.

The WatchGuard® System Manager can help protect your servers against a SYN Flood attack. It monitors the number of SYN segments without an ACK segment. If this number gets larger than the specified maximum, the SYN Flood protection starts and all new connections must have verification. The SYN Flood protection tool stops when the attack stops.

 

1. From Policy Manager, select Setup > Intrusion Prevention > Default Packet Handling.

 Or,
click the Default Packet Handling icon on the Policy Manager toolbar.

 

2. Select the Block SYN Flood Attacks check box.

Return to Top

Copyright © 1996 - 2005 WatchGuard Technologies, Inc. All rights reserved.
Legal Notice/Terms of Use