SYN flood attack

Because of the limited resources, TCP/IP stacks only permit a restricted number of TCP connections. Based on the above defect, the SYN Flood attack forges an SYN packet whose source address is a bogus or non-existent address and initiates a connection to the server. Accordingly, the server will not receive the ACK packet for its SYN-ACK packet, which forms a semi-connection. A large number of semi-connections will exhaust the network resources. As a result, valid users cannot access the network until the semi-connections time out. The SYN Flood attack also takes effect in the applications whose connection number is not limited to consume the system resources such as memories.

How to Protect

The Firewall can defense SYN flood attack by restricting the rate of the SYN packets. The rate of the SYN packets can be restricted based on interface, IP address and security zone.

When the inbound path is consistent with the outbound path, the Firewall can defend against SYN-Flood attacks through the TCP proxy function.

When the inbound path is inconsistent with the outbound path, you can configure the TCP source IP probing which uses the reverse probing technology and defends against SYN-Flood attacks initiated by using virtual IP addresses.

Reverse TCP source IP probing is an effective measure against attacks launched by using spoof IP addresses. When reverse TCP source IP probing is enabled, the firewall probes the source IP addresses of the TCP SYN packets that pass through it. If the source IP addresses are valid IP addresses, the firewall allows the packets to pass.