116 ServerIron ADX Security Guide
53-1002440-03
Configuring Syn-Proxy
5
ServerIronADX(config)#ip tcp syn-proxy reset-using-client-mac
Syntax: [no] ip tcp syn-proxy reset-using-client-mac
This command is useful only when the client cannot be reached using the ServerIron ADX default
gateway and the default gateway of the server is different than the default gateway of the
ServerIron ADX.
Retransmitting TCP SYNs
When Syn-Proxy is enabled, the ServerIron ADX completes the TCP three-way handshake with a
connecting client prior to forwarding packets between the client and the destination server. This
action allows the ServerIron ADX to forward to the server only packets associated with an
established connection.
After completing the three-way handshake with the client, the ServerIron ADX sends a SYN to the
destination server to attempt to establish a connection with the server. If the ServerIron ADX did
not receive an ACK from the destination server within 8 seconds, the ServerIron ADX sent a TCP
RESET to the client.
The ServerIron ADX performs retransmissions in 3-second intervals. If the ServerIron ADX does not
receive an ACK from the destination server, it retransmits the SYN. After sending a SYN to the
destination server, if the ServerIron ADX does not receive an ACK from the server after three
seconds, the ServerIron ADX retransmits the SYN to the server. If the SYN is still unacknowledged
after three more seconds, the ServerIron ADX retransmits the SYN to the server again. If after three
retransmission attempts, the destination server still has not responded with an ACK, the ServerIron
ADX sends a TCP RESET to the client to abort the connection.
Retransmitting the SYN to the server in this way allows the server to respond in case the initial
SYNs sent by the ServerIron ADX are lost, without having to reset the connection with the client. The
ServerIron ADX can retransmit SYNs for up to 65,536 pending connections concurrently.
This functionality is enabled by default when you enable syn-proxy. No CLI configuration is
necessary. The output of show tcp-attack displays information about SYN retransmissions.
Setting the time range for a valid ACK packet
This feature sets a timer factor that determines the time range to accept a valid ACK packet. This
feature is configured with the following command.
ServerIronADX(config)# ip tcp syn-proxy ack-validate-multiplier 3
Syntax: [no] ip tcp syn-proxy ack-validate-multiplier <timer factor>
The <timer factor> variable provides the contents of the timer factor in the following equation used
to determine the time range used:
(timer factor +1) * 8 seconds
Example where the timer factor is set to 3.
The valid window is 3 + 1) * 8 = 32 seconds
Since we check the ACK packet using HASH data from two windows, the MAX time is 64 seconds.
Where the timer factor is set to 3, this HASH value will change every 32 seconds.
As a result, the valid ACK range = (timer factor +1) * 8 seconds * 2