Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

R80.20 - SYN Defender on SecureXL Level

I think the new feature "Accelerated SYN Defender" is a good choice to effectively prevent "SYN Flood Attack" on Check Point Gateways with enabled SecureXL.

 

A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive. These half-open TCP connections eventually exceed the maximum available TCP connections that causes a denial of service condition. The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive TCP connections from being created. The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

 

You can find more in the manual under:

  • fwaccel synatk
  • fwaccel6 synatk

 

Regards,

Heiko

6 Replies
Highlighted
Iron

Re: R80.20 - SYN Defender on SecureXL Level

Hello

 

This feature is supported by R80.20 SP in a 64000 Appliance?

 

Thank you

 

 

0 Kudos
Highlighted
Employee+
Employee+

Re: R80.20 - SYN Defender on SecureXL Level

Yes, Supported using “g_fwaccel synatk” command.

Note that it is supported via Gateway CLI only and not via Smart Console

0 Kudos
Highlighted
Nickel

Re: R80.20 - SYN Defender on SecureXL Level

I am wondering if someone may clarify for me about the “Syn Attack protection” and the “Accesslerated SYN Defender (i.e. fwaccel synatk).

Are they the same thing, or they are two different things?

I feel the "Syn Attack protection" was the legacy configuration from the Syn Defender in R65, whereas this "Accesslerated SYN Defender" is a new(?) generation of the Syn Defender?

Am I correct?  Please educate me if I misunderstand these two terms.

 

Anyway, I hope I can understand these terms better, and start to configure one or both of them according to some kind "best practice" suggestion from Check Point.

 

Thanks.

 

Highlighted

Re: R80.20 - SYN Defender on SecureXL Level

@Raymondn , in a nutshell,  the idea of Syn Defender is still the same. It is just with R80.20, it can be moved from FW into SXL. If so, it is called "Accelerated Syn Defender". THis functionality did not exist in the previous releases. 

More information can be found here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

and here (under "Accelerated Syn Defender" chapter"): https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_PerformanceTuning_AdminGu...

Highlighted
Nickel

Re: R80.20 - SYN Defender on SecureXL Level

Thanks for the info.

Spent sometime reading some of those and now I have a better understanding.

 

If I read SK correctly, in the end of the sk it did leave a statement where keeping this Syn Attack protection feature 'disable' until you are facing a DOS attack, may be a wise choice.

How do people feel about this?  Is this a feature people typically disable, or leave it as "monitor only", and only set to enforcement when facing DOS issue?

 

Thanks.

0 Kudos
Highlighted

Re: R80.20 - SYN Defender on SecureXL Level

I would agree with the recommendation in the SK and leave SYN Defender off unless you need it.  In R80.10 and earlier, enabling SYN Defender would kill SecureXL acceleration of most traffic traversing the firewall and make it go F2F, which could cause its own performance problems if the firewall was already under high load.  This is why the Inspection Setting "SYN Attack" still shows a Performance Impact rating of "Critical".  Now that SecureXL itself can perform this protection in R80.20+ turning it on is not likely to cause other performance problems.

Setting an email/SNMP alert for the Aggressive Aging signature could be one way to get alerted that you might need to turn on SYN Attack.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com