This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
minhhaivietnam
Collaborator
‎2024-06-01 06:22 PM
Jump to solution

Checkpoint FW R81 don't block SYN FLOOD

Hi expert,

I made a simple DOS test : flooding about 5000 syn packets from one source to firewall R81 (with SYN Attack and IPS enable).

But firewall didn't block these connections, it still accept.

 

SYN Attack is activated:

sync1.png

 

But fw still accept all connections

 

log1.png

Please help , I want fw block syn flood.

Thanks all!!

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin
‎2024-06-02 12:13 AM
Jump to solution

Check you have activated SynAttack feature properly, including the thresholds and delay. Read through sk120476, relevant portion of sk112241, and notes from SecureXL ATRG for the matter.

Also note, with the default settings, synattack has 5 seconds delay for activation. 

Instead of traffic logs, check your IPS logs for SynAttack triggers.

View solution in original post

minhhaivietnam
Collaborator
‎2024-06-02 02:00 AM
In response to _Val_
Jump to solution

Thanks admin,

Finally, i use this command "fwaccel dos rate add concurrent-conns 100 destination cidr:192.168.199.10 service any" then it blocks as expected

IMG_1022.png

Also i need to change DOS simulation :

from: 5000 packets with same source port

to: 5000 packets with random source port

View solution in original post

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2024-06-02 12:13 AM
Jump to solution

Check you have activated SynAttack feature properly, including the thresholds and delay. Read through sk120476, relevant portion of sk112241, and notes from SecureXL ATRG for the matter.

Also note, with the default settings, synattack has 5 seconds delay for activation. 

Instead of traffic logs, check your IPS logs for SynAttack triggers.

minhhaivietnam
Collaborator
‎2024-06-02 02:00 AM
In response to _Val_
Jump to solution

Thanks admin,

Finally, i use this command "fwaccel dos rate add concurrent-conns 100 destination cidr:192.168.199.10 service any" then it blocks as expected

IMG_1022.png

Also i need to change DOS simulation :

from: 5000 packets with same source port

to: 5000 packets with random source port

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-06-02 02:46 PM
Jump to solution

For sure the SK's @_Val_ sent you are super relevant in this case.

Best,

Andy

Best,
Andy
0 Kudos
ANARINE
Participant
15 hours ago
In response to the_rock
Jump to solution

Ok I performed the syn flood in my testlab as well. I have observed the below

When syn flood prevention aka syndefender is enabled, it only activates after the threshold is reached (default 5000 syns). You can confirm that syndefender is active and enforcing cookies by running the 'fwaccel monitor state' command). At this point the fw acts as man-in-the-middle: It does not forward the SYN packet to the web server unless it received an ACK from the client containing a valid cookie. The OP was looking for syn drops in the fw logs, but the fw doesn't drop the syns, it just doesn't forward them to the webserver. The OP enabled a dos rate policy which is a separate mechanism from syndefender.

The below sk explains the process

Accelerated SYN Defender

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events