|
|
|
SYN flood attacks | What is a SYN flood attack? |
SYN flood attacks
This section describes:
•What is a SYN flood attack?
•How SYN floods work
•The FortiGate IPS Response to SYN flood attacks
•Configuring SYN flood protection
•Suggested settings for different network conditions
What is a SYN flood attack?
A SYN flood is a type of Denial of Service (DoS) attack. DoS is a class of attacks in which an attacker attempts to prevent legitimate users from accessing an internet service, for example, a web server. Using SYN floods, an attacker attempts to disable an Internet service by flooding a server with TCP/IP connection requests which consume all the available slots in the server’s TCP connection table. When the connection table is full, it is not possible to establish any new connections, and the web site on the server becomes inaccessible.
This section provides information about SYN flood attacks and the FortiGate IPS methods of preventing such attacks.
How SYN floods work
SYN floods work by exploiting the structure of the TCP/IP protocol. An attacker floods a server with connection attempts but never acknowledges the server’s replies to open the TCP/IP connection.
The TCP/IP protocol uses a
Figure 15: Establishing a TCP/IP connection
1The originator of the connection sends a SYN packet (a packet with the SYN flag set in the TCP header) to initiate the connection.
2The receiver sends a SYN/ACK packet (a packet with the SYN and ACK flags set in the TCP header) back to the originator to acknowledge the connection attempt.
3The originator then sends an ACK packet (a packet with the ACK flag set in the TCP header) back to the receiver to open the connection.
FortiGate IPS User Guide Version 3.0 MR7 |
|
51 |