SonicWALL TZ 190 Working with SYN/RST/FIN Flood Protection

Firewall > TCP Settings

439

SonicOS Enhanced 4.0 Administrator Guide

The TCP Settings section allows you to:

• Enable TCP Stateful Inspection – Enabling TCP stateful inspection requires that all TCP

connections rigidly adhere to the following TCP setup requirements:

–

TCP session establishment involves a three-way handshake between two hosts and

consists of the following:

• Initiator --> SYN --> Responder

• Initiator <-- SYN/ACK <-- Responder

• Initiator --> ACK --> Responder

• (Session established)

After the initial SYN, it is permissible for a Client to send a RST or a SYN, or for the Server

to send a SYN-ACK or a RST. Any other kind of TCP flags are generally considered invalid,

or potentially malicious. The 'Enable TCP Stateful Inspection' option enforces these

guidelines, and drops any traffic that violates them.

Note Some legitimate TCP/IP stack implementations do not abide by these rules, and require that

'Enable TCP Stateful Inspection' be disabled. For the sake of compatibility with these

implementations, the 'Enable TCP Stateful Inspection' option is disabled by default, but can

be enabled to heighten security, or if there is no concern of potential incompatibilities.

• Enable TCP Checksum Validation – If an invalid TCP checksum is calculated, the packet

will be dropped.

• Default TCP Connection Timeout – The default time assigned to Access Rules for TCP

traffic. If a TCP session is active for a period in excess of this setting, the TCP connection

will be cleared by the SonicWALL. The default value is 5 minutes, the minimum value is 1

minute, and the maximum value is 999 minutes. Note: Setting excessively long connection

time-outs will slow the reclamation of stale resources, and in extreme cases could lead to

exhaustion of the connection cache.

• Maximum Segment Lifetime (seconds) – Determines the number of seconds that any

TCP packet is valid before it expires. This setting is also used to determine the amount of

time (calculated as twice the Maximum Segment Lifetime, or 2MSL) that an actively closed

TCP connection remains in the TIME_WAIT state to ensure that the proper FIN / ACK

exchange has occurred to cleanly close the TCP connection.

–

Default value: 8 seconds

–

Minimum value: 1 second

–

Maximum value: 60 seconds

Working with SYN/RST/FIN Flood Protection

SYN/RST/FIN Flood protection helps to protect hosts behind the SonicWALL from Denial of

Service (DoS) or Distributed DoS attacks that attempt to consume the host’s available

resources by creating one of the following attack mechanisms:

• Sending TCP SYN packets, RST packets, or FIN packets with invalid or spoofed IP

addresses.

• Creating excessive numbers of half-opened TCP connections.