Firewall > TCP Settings
442
SonicOS Enhanced 4.0 Administrator Guide
Each contains various types of SYN Flood Protection. The following sections describe these
features.
Working with SYN Flood Protection Modes
A SYN Flood Protection mode is the level of protection that you can select to defend against
half-opened TCP sessions and high-frequency SYN packet transmissions. This feature enables
you to set three different levels of SYN Flood Protection:
Watch and Report Possible SYN Floods – This option enables the device to monitor SYN
traffic on all interfaces on the device and to log suspected SYN flood activity that exceeds a
packet count threshold. The feature does not turn on the SYN Proxy on the device so the device
forwards the TCP three-way handshake without modification. This is the least invasive level of
SYN Flood protection. Select this option if your network is not in a high risk environment.
Proxy WAN Client Connections When Attack is Suspected – This option enables the device
to enable the SYN Proxy feature on WAN interfaces when the number of incomplete connection
attempts per second surpasses a specified threshold. This method ensures the device
continues to process valid traffic during the attack and that performance does not degrade.
Proxy mode remains enabled until all WAN SYN flood attacks stop occurring or until the device
blacklists all of them using the SYN Blacklisting feature. This is the intermediate level of SYN
Flood protection. Select this option if your network experiences SYN Flood attacks from internal
or external sources.
Always Proxy WAN Client Connections – This option sets the device to always use SYN
Proxy. This method blocks all spoofed SYN packets from passing through the device. Note that
this is an extreme security measure and directs the device to respond to port scans on all TCP
ports because the SYN Proxy feature forces the device to respond to all TCP SYN connection
attempts. This can degrade performance and can generate a false positive. Select this option
only if your network is in a high risk environment.

Working with SYN Attack Threshold

The SYN Attack Threshold region of the SYN Flood Protection region, provides limits for SYN
Flood activity before the device drops packets. The device gathers statistics on WAN TCP
connections, keeping track of the maximum and average maximum and incomplete WAN
connections per second. Out of these statistics, the device suggests a value for the SYN flood
threshold.
Note the two options in the section:
Use the 300 Value Calculated from Gathered Statistics – Sets the threshold for the number
of incomplete connection attempts per second before the device drops packets at the default
value of 300.
Attack Threshold (Incomplete Connection Attempts/Second) – Enables you to set the
threshold for the number of incomplete connection attempts per second before the device drops
packets at any value between 5 and 999,999.
Working with SYN Proxy Options
When the device applies a SYN Proxy to a TCP connection, it responds to the initial SYN packet
with a manufactured SYN/ACK reply, waiting for the ACK in response before forwarding the
connection request to the server. Devices attacking with SYN Flood packets do not respond to
the SYN/ACK reply. The firewall identifies them by their lack of this type of response and blocks
their spoofed connection attempts. SYN Proxy forces the firewall to manufacture a SYN/ACK
response without knowing how the server will respond to the TCP options normally provided on
SYN/ACK packets.