Firewall > TCP Settings
441
SonicOS Enhanced 4.0 Administrator Guide
• SYN Blacklisting (Layer 2) – This mechanism blocks specific devices from generating or
forwarding SYN flood attacks. You can enable SYN Blacklisting on any interface.
Understanding SYN Watchlists
The internal architecture of both SYN Flood protection mechanisms is based on a single list of
Ethernet addresses that are the most active devices sending initial SYN packets to the firewall.
This list is called a SYN watchlist. Because this list contains Ethernet addresses, the device
tracks all SYN traffic based on the address of the device forwarding the SYN packet, without
considering the IP source or destination address.
Each watchlist entry contains a value called a hit count. The hit count value increments when
the device receives the an initial SYN packet from a corresponding device. The hit count
decrements when the TCP three-way handshake completes. The hit count for any particular
device generally equals the number of half-open connections pending since the last time the
device reset the hit count. The device default for resetting a hit count is once a second.
The thresholds for logging, SYN Proxy, and SYN Blacklisting are all compared to the hit count
values when determining if a log message or state change is necessary. When a SYN Flood
attack occurs, the number of pending half-open connections from the device forwarding the
attacking packets increases substantially because of the spoofed connection attempts. When
you set the attack thresholds correctly, normal traffic flow produces few attack warnings, but
the same thresholds detect and deflect attacks before they result in serious network
degradation.
Working with SYN Flood Protection Features
To configure SYN Flood Protection features, go to the Layer 3 SYN Flood Protection - SYN
Proxy portion of the Firewall > TCP Settings window that appears as shown in the following
figure.
Note that this region contains four regions:
• SYN Flood Protection Mode
• SYN Attack Threshold
• SYN Proxy Options
• SYN/RST/FIN Blacklisting
SYN Flood
Protection
Mode
SYN Attack
Threshold
Region
SYN Proxy
Threshold
Region
SYN/RST/
FIN
Blacklisting