Fortinet FortiGate IPS Fail Open Mechanisms and SYN Flood Protection Against SYN Flood Attacks

After the handshaking process is complete the connection is open and data exchange can begin between the originator and the receiver, in this case the web browser and the web server.

Between steps 2 and 3 however, the web server keeps a record of any incomplete connections until it receives the ACK packet. A SYN flood attacker sends many SYN packets but never replies with the final ACK packet.

Since most systems have only a limited amount of space for TCP/IP connection records, a flood of incomplete connections will quickly block legitimate users from accessing the server. Most TCP/IP implementations use a fairly long timeout before incomplete connections are cleared from the connection table and traffic caused by a SYN flood is much higher than normal network traffic.

The FortiGate IPS Response to SYN flood attacks

The FortiGate unit uses a defense method that combines the SYN Threshold and

SYN Proxy methods to prevent SYN flood attacks.

What is SYN threshold?

An IPS device establishes a limit on the number of incomplete TCP connections, and discards SYN packets if the number of incomplete connections reaches the limit.

What is SYN proxy?

An IPS proxy device synthesizes and sends the SYN/ACK packet back to the originator, and waits for the final ACK packet. After the proxy device receives the ACK packet from the originator, the IPS device then "replays" the three-step sequence of establishing a TCP connection (SYN, SYN/ACK and ACK) to the receiver.

How IPS works to prevent SYN floods

The FortiGate IPS uses a pseudo SYN proxy to prevent SYN flood attack. The pseudo SYN proxy is an incomplete SYN proxy that reduces resource usage and provides better performance than a full SYN proxy approach.

The IPS allows users to set a limit or threshold on the number of incomplete TCP connections. The threshold can be set either from the CLI or the web-based manager.

When the IPS detects that the total number of incomplete TCP connections to a particular target exceeds the threshold, the pseudo SYN proxy is triggered to operate for all subsequent TCP connections. The pseudo SYN proxy will determine whether a new TCP connection is a legitimate request or another SYN flood attack based on a “best-effect” algorithm. If a subsequent connection attempt is detected to be a normal TCP connection, the IPS will allow a TCP connection from the source to the target. If a subsequent TCP connection is detected to be a new incomplete TCP connection request, one of the following actions will be taken: Drop, Reset, Reset Client, Reset Server, Drop Session, Pass Session, Clear Session, depending upon the user configuration for SYN Flood anomaly in the IPS.