Support Center > Search Results > SecureKnowledge Details
Important changes in IPS "SYN Attack" (SYN Defender) protection Technical Level
Solution

Scope of article

This article pertains to the configuration of the "SYN Attack" (also known as "SYN Defender" or "synatk") Inspection Setting for Security Gateways R80.20 and higher.

Purpose of the "SYN Attack" protection

The "SYN Attack" protection mitigates SYN Flood attacks.

SmartConsole Settings

  1. In the left navigation panel, click on Security Policies.
  2. In the Shared Policies section, click on Inspection Settings.
  3. Search for SYN Attack.
  4. Double-click the SYN Attack protection.
  5. Edit the applicable profile.
  6. Configure the applicable settings in the profile and click OK.
  7. Install the Access Control policy.

Explanations

  • On the General Properties page of the "SYN Attack" protection, the Track and Capture Packets settings do nothing in Security Gateways R80.20 and higher. Logging or capturing packets during a DDoS attack would just exacerbate the attack.

  • On the Advanced page of the "SYN Attack" protection, none of the settings in the Settings for R80.10 Gateways and Below section apply to Security Gateways R80.20 and higher.

    The only logs the "SYN Attack" protection generates are for configuration changes, and when a SYN flood attack starts and stops.

Configuring the 'SYN Attack' protection

There are only limited configuration settings for the "SYN Attack" protection in SmartConsole. Most of the configuration options can only be done directly on the Security Gateway with the 'fwaccel synatk' and 'fwaccel6 synatk' commands (see the Performance Tuning Administration Guide for your version - Chapter SecureXL - Section Accelerated SYN Defender).

Before you enable it for the first time, review the "SYN Attack" protection documentation thoroughly. If not configured correctly, the feature can significantly impact your network. This should be configured such that the "SYN Attack" protection only goes active when you are truly under a SYN Flood attack. Keeping the "SYN Attack" protection disabled unless you are under attack is probably prudent.

The default thresholds for the "SYN Attack" protection may not work well in your environment. These can only be configured directly on the Security Gateway; if you have multiple Security Gateways, you may need different thresholds on each Security Gateway. However, cluster members of the same cluster should have the same settings.

There is a difference in terminology for the "SYN Attack" protection between SmartConsole and the Security Gateway:

SmartConsole "Action" Security Gateway Behavior
Accept Monitor
Drop Enforce
Inactive Disabled
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment