Rate limiting : Protecting against TCP SYN floods
Protecting against TCP SYN floods
Denial of service (DoS) attacks partially exploit a network’s lack of rate limiting, but in the case of SYN floods, they also exploit a memory exhaustion issue inherent in the design of the TCP protocol. You can configure FortiADC to protect your servers from TCP SYN flood-style DoS attacks.
TCP SYN floods attempt to exploit the state mechanism of TCP. At the point where a client has only sent a SYN signal, a connection has been initiated and therefore consumes server memory to remember the state of the half-open connection. However, the connection has not yet been fully formed, and therefore packets are not required to contain any actual application layer payload such as HTTP yet. Because of this, it cannot be blocked by application-layer scans, nor can it be blocked by scans that only count fully-formed socket connections (where the client’s SYN has been replied to by a SYN ACK from the server, and the client has confirmed connection establishment with an ACK).
Normally, a legitimate client will quickly complete the connection build-up and tear-down. However, an attacker will initiate many connections without completing them, until the server is exhausted and has no memory left to track the TCP connection state for legitimate clients.
To prevent this, FortiADC can use a “SYN cookie” — a small piece of memory that keeps a timeout for half-open connections. This prevents half-open connections from accumulating to the point of socket exhaustion.
To enable TCP SYN flood protection, go to System > DoS Protection > SYN Cookie. When enabled, it will apply to all connections from clients.