Support Center > Search Results > SecureKnowledge Details
'dst cache overflow' messages under a SYN Flood when 'SYN Attack' IPS protection is enabled Technical Level
Symptoms
  • 'dst cache overflow' messages in /var/log/messages file, in the output of 'dmesg' command and on the console under a SYN Flood when 'SYN Attack' IPS protection is enabled.

  • 'BUG: soft lockup - CPU#N stuck for 10s!' messages in /var/log/messages file, in the output of 'dmesg' command and on the console under a SYN Flood when 'SYN Attack' IPS protection is enabled.
Cause

By default, the 'SYN Attack' IPS Protection, when running in 'SYN Cookie mode', uses the Linux routing code to send SYN ACK packets back to the sender. This creates additional load on the Security Gateway.


Solution

A new global kernel parameter 'asm_synatk_dont_route' was added to control the Security Gateway's behavior.

This new global kernel parameter is integrated since:

Check Point recommends to always upgrading to the most recent version.

For R70.50 / R71.50 / R75.40 versions, Check Point offers a hotfix.

 


 

Table of Contents:

  • Hotfix availability
  • Instruction
  • Explanation
  • Hotfix installation for R70.50 on SecurePlatform
  • Hotfix installation for R71.50 on SecurePlatform
  • Hotfix installation for R75.40 on SecurePlatform / Gaia
  • Related solutions

 

Hotfix availability

  1. R70.50 / R71.50 / R75.40 running on SecurePlatform / Gaia OS.

  2. Other versions must be upgraded to one of the above versions (in order to get the most stable, secure and robust system).

 

Instruction

To resolve this issue, follow these steps:

  1. In order to benefit from the global kernel parameter 'asm_synatk_dont_route', Check Point IPS protection 'SYN Attack' must be active only in 'SYN Cookie Mode'.

  2. Enable the kernel parameter on-the-fly:

    [Expert@HostName]# fw ctl set int asm_synatk_dont_route 1

    Note: Starting in R75.46, R75.47 and R76, the default value the 'asm_synatk_dont_route' parameter is already set to 1 (one). Refer to sk88146.

  3. Enable the kernel parameter permanently per sk26202 (Changing the kernel global parameters for Check Point Security Gateway).

    Note: Starting in R75.46, R75.47 and R76, the default value the 'asm_synatk_dont_route' parameter is already set to 1 (one). Refer to sk88146.

 

Explanation

When the value of kernel parameter 'asm_synatk_dont_route' is set to 1 (one), the 'SYN Attack' IPS Protection, when running in 'SYN Cookie mode', will send SYN ACK packets back to the sender without using the Linux routing code - packets will be sent back on the same interface and to the same MAC address from which they arrived.

 

Hotfix installation for R70.50 on SecurePlatform

  1. In order to benefit from the global kernel parameter 'asm_synatk_dont_route', Check Point IPS protection 'SYN Attack' must be active only in 'SYN Cookie Mode'.

  2. Download the FireWall hotfix from here to your Security Gateway into some directory (in our example, "/path_to_hotfix/").

  3. Unpack the FireWall hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/
    [Expert@HostName]# tar xvfz fw1_HOTFIX_FLO_SPLAT_HF_HA50_041.tgz

  4. Install the FireWall hotfix:

    [Expert@HostName]# ./fw1_HOTFIX_FLO_HF_HA50_041_730041002_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  5. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  6. Enable the special kernel parameter:

    Set the value of 'asm_synatk_dont_route' parameter to 1 (one) only if "SYN Attack" protection is working in "SYN Cookie mode" per sk26202 (Changing the kernel global parameters for Check Point Security Gateway).

  7. Reboot the Security Gateway:

    [Expert@HostName]# reboot

 

Hotfix installation for R71.50 on SecurePlatform

  1. In order to benefit from the global kernel parameter 'asm_synatk_dont_route', Check Point IPS protection 'SYN Attack' must be active only in 'SYN Cookie Mode'.

  2. Download the FireWall hotfix from here to your Security Gateway into some directory (in our example, "/path_to_hotfix/").

  3. Unpack the FireWall hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/
    [Expert@HostName]# tar xvfz fw1_HOTFIX_FLINT_SPLAT_HF_HA50_018.tgz

  4. Install the FireWall hotfix:

    [Expert@HostName]# ./fw1_HOTFIX_FLINT_HF_HA50_018_976018002_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  5. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  6. Enable the special kernel parameter:

    Set the value of 'asm_synatk_dont_route' parameter to 1 (one) only if "SYN Attack" protection is working in "SYN Cookie mode" per sk26202 (Changing the kernel global parameters for Check Point Security Gateway).

  7. Reboot the Security Gateway:

    [Expert@HostName]# reboot

 

Hotfix installation for R75.40 on SecurePlatform / Gaia

  1. In order to benefit from the global kernel parameter 'asm_synatk_dont_route', Check Point IPS protection 'SYN Attack' must be active only in 'SYN Cookie Mode'.

  2. Download the FireWall hotfix from here to your Security Gateway into some directory (in our example, "/path_to_hotfix/").

  3. Unpack the FireWall hotfix package:

    [Expert@HostName]# cd /path_to_hotfix/
    [Expert@HostName]# tar xvfz fw1_wrapper_HOTFIX_FOXX_HF_HA40_087.tgz

  4. Install the FireWall hotfix:

    [Expert@HostName]# ./fw1_wrapper_HOTFIX_FOXX_HF_HA40_087_986087003_1

    Follow the instructions on the screen.

    Note: all Check Point services will be stopped during the installation.

  5. The installation will prompt for a reboot once it finishes. Do not reboot yet.

  6. Enable the special kernel parameter:

    Set the value of 'asm_synatk_dont_route' parameter to 1 (one) only if "SYN Attack" protection is working in "SYN Cookie mode" per sk26202 (Changing the kernel global parameters for Check Point Security Gateway).

  7. Reboot the Security Gateway:

    [Expert@HostName]# reboot

 


 

This solution is about products that are no longer supported and it will not be updated
Applies To:
  • 00906266 , 00923194 , 00915146 , 01063263 , 00912912 , 01063370 , 01066608 , 01106107 , 00918363 , 01073309
  • This fix is relevant only for SecurePlatform / Gaia OS.
  • 00906266 , 00923194 , 00915146 , 01063263 , 00912912 , 01063370 , 01066608 , 01106107 , 00918363 , 01073309
  • This fix is relevant only for SecurePlatform / Gaia OS.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment