Fortinet 5.0 Patch 6 Preventing a TCP SYN flood

Fortinet 354 FortiWeb 5.0 Patch 6 Administration Guide

5. Group the rule in a DoS protection policy (see “Grouping DoS protection rules” on page 355)

that is used by a protection profile.

Attack log messages contain DoS Attack: TCP Flood Prevention Violation when

this feature detects a TCP connection flood. See also “Log rate limits” on page 544.

Example: TCP flood prevention

Assume you set 10 as the limit. A client opens 15 TCP connections. Each connection has a

different source port. The FortiWeb appliance counts all connections as part of the same source

IP and blocks the connections because they exceed the limit.

See also

•Limiting TCP connections per IP address by session cookie

•Preventing a TCP SYN flood

Preventing a TCP SYN flood

You can configure protection from TCP SYN flood-style denial of service (DoS) attacks.

TCP SYN floods attempt to exploit the state mechanism of TCP. At the point where a client has

only sent a SYN signal, a connection has been initiated and therefore consumes server memory

to remember the state of the half-open connection. However, the connection has not yet been

fully formed, and therefore packets are not required to contain any actual application layer

payload such as HTTP yet. Because of this, it cannot be blocked by application-layer scans, nor

can it be blocked by scans that only count fully-formed socket connections (where the client’s

SYN has been replied to by a SYN ACK from the server, and the client has confirmed connection

establishment with an ACK).

Normally, a legitimate client will quickly complete the connection build-up and tear-down.

However, an attacker will initiate many connections without completing them, until the server is

exhausted and has no memory left to track the TCP connection state for legitimate clients.

To prevent this, FortiWeb can use a “SYN cookie” — a small piece of memory that keeps a

timeout for half-open connections. This prevents half-open connections from accumulating to

the point of socket exhaustion.

This feature is similar to DoS Protection > Network > TCP Flood Prevention. However, this

feature counts partially-formed TCP connections, while TCP Flood Prevention counts

fully-formed TCP connections.

When the operation mode is true transparent proxy, instead of configuring this setting, use the

Syn Cookie and Half Open Threshold options in each server policy.