User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X1000

161

162

163

164

165

166

167

168

169

170

Default Packet Handling

User Guide 145

They are stored in a backlog until they are completed or time out. When

the server’s backlog is full, no new connections can be accepted.

A SYN Flood attack attempts to fill up the victim server’s backlog by

sending a flood of SYN segments without ever sending an ACK. When

the backlog fills up, the server will be unavailable to users.

The WatchGuard Firebox System can help defend your servers against a

SYN Flood attack by tracking the number of SYNs that are sent without a

following ACK. If this number exceeds the threshold you define, the SYN

Flood protection feature will self-activate. Once active, further connection

attempts from the external side of the Firebox must be verified before

being allowed to reach your servers. Connections that cannot be verified

are not allowed through, thus protecting your server from having a full

backlog.

The SYN Flood protection feature will self-deactivate when it senses the

attack is over.

From Policy Manager:

1 On the toolbar, click the Default Packet Handling icon.

You can also, from Policy Manager, select Setup => Default.

The Default Packet Handling dialog box appears.

2 Enable the checkbox marked Block SYN Flood Attacks.

Changing SYN flood settings

Active SYN flood defenses can occasionally prevent legitimate connection

attempts from being completed. If you find that too many legitimate

connection attempts fail when your SYN flood defense is active, you can

change SYN flood settings to minimize this problem.

You can set the maximum number of incomplete TCP connections the

Firebox allows before the SYN flood defense is activated. The default

setting of 60 means that when the number of TCP connections waiting to

be validated climbs to 61 or above, SYN flood defense is activated.

Conversely, when the number of connections waiting for validation drops

to 59 or less, SYN flood defense is deactivated.

You might need to adjust

this setting to custom-fit the SYN

Flood protection feature for your

network. Every time the feature self-activates, a log message will be

recorded stating

SYN Validation: activated. When the feature self-

deactivates, the log message

SYN Validation: deactivated will be