Справочник Пользователя для Fortinet IPS

This section describes:

•

What is a SYN flood attack?

•

How SYN floods work

•

The FortiGate IPS Response to SYN flood attacks

•

Configuring SYN flood protection

•

Suggested settings for different network conditions

A SYN flood is a type of Denial of Service (DoS) attack. DoS is a class of attacks 
in which an attacker attempts to prevent legitimate users from accessing an 
internet service, for example, a web server. Using SYN floods, an attacker 
attempts to disable an Internet service by flooding a server with TCP/IP 
connection requests which consume all the available slots in the server’s TCP 
connection table. When the connection table is full, it is not possible to establish 
any new connections, and the web site on the server becomes inaccessible. 

This section provides information about SYN flood attacks and the FortiGate IPS 
methods of preventing such attacks.

SYN floods work by exploiting the structure of the TCP/IP protocol. An attacker 
floods a server with connection attempts but never acknowledges the server’s 
replies to open the TCP/IP connection.

The TCP/IP protocol uses a three-step process to establish a network connection. 

The originator of the connection sends a SYN packet (a packet with the SYN flag 
set in the TCP header) to initiate the connection.

The receiver sends a SYN/ACK packet (a packet with the SYN and ACK flags set 
in the TCP header) back to the originator to acknowledge the connection attempt.

The originator then sends an ACK packet (a packet with the ACK flag set in the 
TCP header) back to the receiver to open the connection.