Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dor_Marcovitch
Advisor

fw syn atack

hey,

 

how do you know which value is suitable for an environment ? 

fwaccel synatk -t <Threshold>

and if changes from the default values is needed:

 

Thresholds

  • The Global high attack threshold number is configured to the specified value <Threshold>.

    This is the number of half-open TCP connections on all interfaces required for the Accelerated SYN Defender to engage.

    • Valid values: 100 and greater

    • Default: 10000

  • The High attack threshold number is configured to 1/2 of the specified value <Threshold>.

    This is the high number of half-open TCP connections on an interface required for the Accelerated SYN Defender to engage.

    • Valid values: (Low attack threshold) < (High attack threshold) <= (Global high attack threshold)

    • Default: 5000

  • The Low attack threshold number is configured to 1/10 of the specified value <Threshold>.

    This is the low number of half-open TCP connections on an interface required for the Accelerated SYN Defender to engage.

    • Valid values: 10 and greater

    • Default: 1000

thanks

0 Kudos
2 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi @Dor_Marcovitch 

There are only limited configuration settings for the "SYN Attack" protection in SmartConsole. Most of the configuration options can only be done directly on the Security Gateway with the 'fwaccel synatk' commands (see the R80.20 Performance Tuning Administration Guide - Chapter SecureXL - Section Accelerated SYN Defender).

I think the new feature in R80.20+  "Accelerated SYN Defender" is a good choice to effectively prevent "SYN Flood Attack" on Check Point Gateways with enabled SecureXL.

71138_pastedImage_1.png

A TCP SYN Flood attack occurs when a host, typically with a forged IP address, sends a flood of TCP [SYN] packets. Each of these TCP [SYN] packets is handled as a connection request, which causes the server to create a half-open (unestablished) TCP connection. This occurs because the server sends a TCP [SYN+ACK] packet, and waits for a response TCP packet that does not arrive. These half-open TCP connections eventually exceed the maximum available TCP connections that causes a denial of service condition. The Check Point Accelerated SYN Defender protects the Security Gateway by preventing excessive TCP connections from being created. The Accelerated SYN Defender uses TCP [SYN] Cookies (particular choices of initial TCP sequence numbers) when under a suspected TCP SYN Flood attack. Using TCP [SYN] Cookies can reduce the load on Security Gateway and on computers behind the Security Gateway. The Accelerated SYN Defender acts as proxy for TCP connections and adjusts TCP {SEQ} and TCP {ACK} values in TCP packets.

 

To your question;

The values are chosen very high, since they must in principle match for all firewalls. The tricky question is how many TCP sessions your firewall normally used. You can adjust the values accordingly. 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Dor_Marcovitch
Advisor

is there a formula to calculate the value it should be based on the average value of the tcp connections?

on r80.20 and later the value is per GW and not the same for all the GWs

from what i see also that on r80.20 you cannot choose between syn cookie or syn relay mechanism

thanks

dor

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events