R80.20 - SYN Defender on SecureXL Level

Document created by Heiko Ankenbrand Champion on Oct 2, 2018Last modified by Heiko Ankenbrand Champion on Oct 17, 2018
Version 4Show Document
  • View in full screen mode
I think the new feature "Accelerated SYN Defender" is a good choice to effectively prevent "SYN Flood Attack" on Check Point Gateways with enabled SecureXL.


A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive. These half-open TCP connections eventually exceed the maximum available TCP connections that causes a denial of service condition. The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive TCP connections from being created. The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.


You can find more in the manual under:

  • fwaccel synatk
  • fwaccel6 synatk




8 people found this helpful