Справочник Пользователя для Fortinet IPS
FortiGate IPS User Guide Version 3.0 MR7
52
01-30007-0080-20080916
The FortiGate IPS Response to SYN flood attacks
SYN flood attacks
After the handshaking process is complete the connection is open and data
exchange can begin between the originator and the receiver, in this case the web
browser and the web server.
exchange can begin between the originator and the receiver, in this case the web
browser and the web server.
Between steps 2 and 3 however, the web server keeps a record of any incomplete
connections until it receives the ACK packet. A SYN flood attacker sends many
SYN packets but never replies with the final ACK packet.
connections until it receives the ACK packet. A SYN flood attacker sends many
SYN packets but never replies with the final ACK packet.
Since most systems have only a limited amount of space for TCP/IP connection
records, a flood of incomplete connections will quickly block legitimate users from
accessing the server. Most TCP/IP implementations use a fairly long timeout
before incomplete connections are cleared from the connection table and traffic
caused by a SYN flood is much higher than normal network traffic.
records, a flood of incomplete connections will quickly block legitimate users from
accessing the server. Most TCP/IP implementations use a fairly long timeout
before incomplete connections are cleared from the connection table and traffic
caused by a SYN flood is much higher than normal network traffic.
The FortiGate IPS Response to SYN flood attacks
The FortiGate unit uses a defense method that combines the SYN Threshold and
SYN Proxy methods to prevent SYN flood attacks.
SYN Proxy methods to prevent SYN flood attacks.
What is SYN threshold?
An IPS device establishes a limit on the number of incomplete TCP connections,
and discards SYN packets if the number of incomplete connections reaches the
limit.
and discards SYN packets if the number of incomplete connections reaches the
limit.
What is SYN proxy?
An IPS proxy device synthesizes and sends the SYN/ACK packet back to the
originator, and waits for the final ACK packet. After the proxy device receives the
ACK packet from the originator, the IPS device then "replays" the three-step
sequence of establishing a TCP connection (SYN, SYN/ACK and ACK) to the
receiver.
originator, and waits for the final ACK packet. After the proxy device receives the
ACK packet from the originator, the IPS device then "replays" the three-step
sequence of establishing a TCP connection (SYN, SYN/ACK and ACK) to the
receiver.
How IPS works to prevent SYN floods
The FortiGate IPS uses a pseudo SYN proxy to prevent SYN flood attack. The
pseudo SYN proxy is an incomplete SYN proxy that reduces resource usage and
provides better performance than a full SYN proxy approach.
pseudo SYN proxy is an incomplete SYN proxy that reduces resource usage and
provides better performance than a full SYN proxy approach.
The IPS allows users to set a limit or threshold on the number of incomplete TCP
connections. The threshold can be set either from the CLI or the web-based
manager.
connections. The threshold can be set either from the CLI or the web-based
manager.
When the IPS detects that the total number of incomplete TCP connections to a
particular target exceeds the threshold, the pseudo SYN proxy is triggered to
operate for all subsequent TCP connections. The pseudo SYN proxy will
determine whether a new TCP connection is a legitimate request or another SYN
flood attack based on a “best-effect” algorithm. If a subsequent connection
attempt is detected to be a normal TCP connection, the IPS will allow a TCP
connection from the source to the target. If a subsequent TCP connection is
detected to be a new incomplete TCP connection request, one of the following
actions will be taken: Drop, Reset, Reset Client, Reset Server, Drop Session,
Pass Session, Clear Session, depending upon the user configuration for SYN
Flood anomaly in the IPS.
particular target exceeds the threshold, the pseudo SYN proxy is triggered to
operate for all subsequent TCP connections. The pseudo SYN proxy will
determine whether a new TCP connection is a legitimate request or another SYN
flood attack based on a “best-effect” algorithm. If a subsequent connection
attempt is detected to be a normal TCP connection, the IPS will allow a TCP
connection from the source to the target. If a subsequent TCP connection is
detected to be a new incomplete TCP connection request, one of the following
actions will be taken: Drop, Reset, Reset Client, Reset Server, Drop Session,
Pass Session, Clear Session, depending upon the user configuration for SYN
Flood anomaly in the IPS.