This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andreas_Aust
Collaborator
‎2019-10-31 01:43 AM

"fwaccel synatk" more or less a denial of service command ?

I played around with fwaccel synatk. After doing a "hping3 -i u1 -S -p 3389 host"  all connecitions from outside were blocked.

[Expert@gw-1:0]# fwaccel synatk config
enabled 1
enforce 1
global_high_threshold 10000
periodic_updates 1
cookie_resolution_shift 6
min_frag_sz 80
high_threshold 5000
low_threshold 1000
score_alpha 100
monitor_log_interval (msec) 60000
grace_timeout (msec) 30000
min_time_in_active (msec) 60000

 

[Expert@gw-1:0]# fwaccel synatk monitor
+-----------------------------------------------------------------------------+
| SYN Defender status |
+-----------------------------------------------------------------------------+
| Configuration Enforcing |
| Status Under Attack (!) |
| Non established connections 2 |
| Global Threshold 10000 |
| Interface Threshold 5000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Enforce | State (sec) | Non-established conns |
| | | | | Peak | Current |
+-----------------------------------------------------------------------------+
| eth0 (!) | External | Prevent | Active( 20) | - | - |
| eth0.10 | External | Prevent | Ready | 0 | 0 |
| eth1 | Internal | Detect | Monitor | 3 | 2 |
| eth1.666 | Internal | Detect | Monitor | 0 | 0 |
+-----------------------------------------------------------------------------+

 

my question is: Is this expected behaviour ?

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2019-11-03 03:28 AM

First of all, the general "best practice" SK for dealing with DDoS: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
And specifically SYN Defender in R80.20+: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As SYN Defender throttles ALL SYNs through the gateway, yes, it will impact all incoming traffic when activated.
It's generally not recommended to enable it unless you're actually under attack.
0 Kudos
Kevin_Smith777
Employee Alumnus
Employee Alumnus
‎2019-11-08 06:31 AM

Please contact me off list at ksmith@checkpoint.com

All connections from outside being blocked is not expected behavior.  I'd like to get more details on your test and work through this with you.  We can report back final outcome to the thread.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events