cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

"fwaccel synatk" more or less a denial of service command ?

I played around with fwaccel synatk. After doing a "hping3 -i u1 -S -p 3389 host"  all connecitions from outside were blocked.

[Expert@gw-1:0]# fwaccel synatk config
enabled 1
enforce 1
global_high_threshold 10000
periodic_updates 1
cookie_resolution_shift 6
min_frag_sz 80
high_threshold 5000
low_threshold 1000
score_alpha 100
monitor_log_interval (msec) 60000
grace_timeout (msec) 30000
min_time_in_active (msec) 60000

 

[Expert@gw-1:0]# fwaccel synatk monitor
+-----------------------------------------------------------------------------+
| SYN Defender status |
+-----------------------------------------------------------------------------+
| Configuration Enforcing |
| Status Under Attack (!) |
| Non established connections 2 |
| Global Threshold 10000 |
| Interface Threshold 5000 |
+-----------------------------------------------------------------------------+
| IF | Topology | Enforce | State (sec) | Non-established conns |
| | | | | Peak | Current |
+-----------------------------------------------------------------------------+
| eth0 (!) | External | Prevent | Active( 20) | - | - |
| eth0.10 | External | Prevent | Ready | 0 | 0 |
| eth1 | Internal | Detect | Monitor | 3 | 2 |
| eth1.666 | Internal | Detect | Monitor | 0 | 0 |
+-----------------------------------------------------------------------------+

 

my question is: Is this expected behaviour ?

0 Kudos
2 Replies
Admin
Admin

Re: "fwaccel synatk" more or less a denial of service command ?

First of all, the general "best practice" SK for dealing with DDoS: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
And specifically SYN Defender in R80.20+: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

As SYN Defender throttles ALL SYNs through the gateway, yes, it will impact all incoming traffic when activated.
It's generally not recommended to enable it unless you're actually under attack.
0 Kudos
Employee
Employee

Re: "fwaccel synatk" more or less a denial of service command ?

Please contact me off list at ksmith@checkpoint.com

All connections from outside being blocked is not expected behavior.  I'd like to get more details on your test and work through this with you.  We can report back final outcome to the thread.

0 Kudos