SYN Protection

The network ports might be used by hackers to attack the device in a SYN attack, which consumes TCP resources (buffers) and CPU power.

Since the CPU is protected using SCT, TCP traffic to the CPU is limited. However, if one or more ports are attacked with a high rate of SYN packets, the CPU receives only the attacker packets, thus creating Denial-of-Service.

When using the SYN protection feature, the CPU counts the SYN packets ingressing from each network port to the CPU per second.

To configure SYN protection, follow these steps:

Procedure

Step 1

Click Security > Denial of Service Prevention > SYN Protection.

Step 2

Enter the parameters.

  • Block SYN-RST Packets-Select to enable the feature. All TCP packets with both SYN and RST flags are dropped on all ports.

  • Block SYN-FIN Packets-Select to enable the feature. All TCP packets with both SYN and FIN flags are dropped on all ports.

  • SYN Protection Mode-Select between three modes:

    • Disable-The feature is disabled on a specific interface.

    • Report-Generates a SYSLOG message. The status of the port is changed to Attacked when the threshold is passed

    • Block and Report-When a TCP SYN attack is identified, TCP SYN packets destined for the system are dropped and the status of the port is changed to Blocked.

  • SYN Protection Threshold-Number of SYN packets per second before SYN packets will be blocked (deny SYN with MAC-to-me rule will be applied on the port).

  • SYN Protection Period-Time in seconds before unblocking the SYN packets (the deny SYN with MAC-to-me rule is unbound from the port).

Step 3

Click Apply. SYN protection is defined, and the Running Configuration file is updated.

The SYN Protection Interface Table displays the following fields for every port or LAG (as requested by the user).

  • Current Status-Interface status. The possible values are:

    • Normal-No attack was identified on this interface.

    • Blocked-Traffic isn’t forwarded on this interface.

    • Attacked-Attack was identified on this interface.

  • Last Attack-Date of last SYN-FIN or SYN-RST attack identified by the system and the system action.