Fortinet FortiGate IPS Fail Open Mechanisms and SYN Flood Protection Against SYN Flood Attacks
Page 52

The FortiGate IPS Response to SYN flood attacks

SYN flood attacks

After the handshaking process is complete the connection is open and data exchange can begin between the originator and the receiver, in this case the web browser and the web server.

Between steps 2 and 3 however, the web server keeps a record of any incomplete connections until it receives the ACK packet. A SYN flood attacker sends many SYN packets but never replies with the final ACK packet.

Since most systems have only a limited amount of space for TCP/IP connection records, a flood of incomplete connections will quickly block legitimate users from accessing the server. Most TCP/IP implementations use a fairly long timeout before incomplete connections are cleared from the connection table and traffic caused by a SYN flood is much higher than normal network traffic.

The FortiGate IPS Response to SYN flood attacks

The FortiGate unit uses a defense method that combines the SYN Threshold and

SYN Proxy methods to prevent SYN flood attacks.

What is SYN threshold?

An IPS device establishes a limit on the number of incomplete TCP connections, and discards SYN packets if the number of incomplete connections reaches the limit.

What is SYN proxy?

An IPS proxy device synthesizes and sends the SYN/ACK packet back to the originator, and waits for the final ACK packet. After the proxy device receives the ACK packet from the originator, the IPS device then "replays" the three-step sequence of establishing a TCP connection (SYN, SYN/ACK and ACK) to the receiver.

How IPS works to prevent SYN floods

The FortiGate IPS uses a pseudo SYN proxy to prevent SYN flood attack. The pseudo SYN proxy is an incomplete SYN proxy that reduces resource usage and provides better performance than a full SYN proxy approach.

The IPS allows users to set a limit or threshold on the number of incomplete TCP connections. The threshold can be set either from the CLI or the web-based manager.

When the IPS detects that the total number of incomplete TCP connections to a particular target exceeds the threshold, the pseudo SYN proxy is triggered to operate for all subsequent TCP connections. The pseudo SYN proxy will determine whether a new TCP connection is a legitimate request or another SYN flood attack based on a “best-effect” algorithm. If a subsequent connection attempt is detected to be a normal TCP connection, the IPS will allow a TCP connection from the source to the target. If a subsequent TCP connection is detected to be a new incomplete TCP connection request, one of the following actions will be taken: Drop, Reset, Reset Client, Reset Server, Drop Session, Pass Session, Clear Session, depending upon the user configuration for SYN Flood anomaly in the IPS.

 

FortiGate IPS User Guide Version 3.0 MR7

52

01-30007-0080-20080916

Page 51 Page 53
Image 52
Page 51 Page 53
Contents E R G U I D E Trademarks Contents Protocol decoders IPS sensorsDoS sensors SYN flood attacksIntroduction FortiGate IPSAbout this document Fortinet documentationDocument conventions Typographic conventionsFortiGate Pptp VPN User Guide Fortinet Knowledge Center Customer service and technical supportComments on Fortinet technical documentation IPS settings and controls IPS overview and general configurationThis section contains the following topics When to use IPS Default signature and anomaly settingsDefault fail open setting Config ips global Set fail-open enable disable endSetting the buffer size Configuring logging and alert emailMonitoring the network and dealing with attacks Controlling sessionsAttack log messages Signature Anomaly FortiGuard CenterUsing IPS sensors in a protection profile Creating a protection profile that uses IPS sensorsAdding protection profiles to firewall policies Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile IPS predefined signatures Predefined signaturesViewing the predefined signature list Settings EnableColumn Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list IPS custom signatures Custom signaturesViewing the custom signature list Custom signature configuration Adding custom signatures using the web-based managerAdding custom signatures using the CLI Command syntax patternCustom signature fields Creating custom signaturesShows the valid characters for custom signature fields Custom signature syntax AttackidName BufferOverflow SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern GET Context uriPattern yahoo.com Context hostPcre Regex/mdelimRegexdelimismxAEGRU Uri !uristrProtocol tcp IP header keywords Keyword and Value DescriptionTCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12Icmp keywords Keyword and Value Usage UDP header keywords Keyword and Value DescriptionOther keywords Keyword and Value Description Example custom signatures Example 1 signature to block access to example.comSbid --name Block.example.com Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names PortAlldefault AlldefaultpassIPS sensors Viewing the IPS sensor listConfiguring IPS sensors Adding an IPS sensorProtectclient ProtectemailserverIPS sensor attributes IPS sensor filtersConfiguring filters ResetIPS sensor overrides Delete and Edit Delete or edit the filter IconsConfiguring pre-defined and custom overrides ApplicationExempt IP SourceDoS sensors Configuring DoS sensors Viewing the DoS sensor listSequence in which the sensors examine network traffic Appears, and select OKAnomaly configuration DoS sensor attributesName Enter or change the DoS sensor name Comments Will appear in the DoS sensor listUnderstanding the anomalies Anomaly Description Tcpdstsession UdpfloodUdpscan UdpsrcsessionUnderstanding the anomalies SYN flood attacks What is a SYN flood attack?How SYN floods work What is SYN threshold? What is SYN proxy?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Suggested settings for different network conditions Configuring SYN flood protectionConfigure the options for tcpsynflood Select OK What is an Icmp sweep? Icmp sweep attacksHow Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User GuideTechnical support
Top Page Image Contents