Syn Flood protection -- Core-Admin Checker -- Secure limits

#1

1. Introduction

Next article explains how this checker works to protect the system against syn flood attacks (syn_flood_checker) and how to configure it to make it work under recommended threshold.

2. What protection provided syn_flood_checker

syn-flood attack is a kind that seeks to half-open connections to the victim server. What the attack is looking for is to exhaust server resources available to accept these new connections.
The mechanism used to develop the attack is to send initial packets used to establish a TCP connection (SYN packets) and then not continue with the protocol.

This makes the connection to remain in a “half open” state (half open connection), using resources and available “buckets” for these temporal connections (connections that are in the process of complete).

syn_flood_checker seeks to locate and account these connections, associated to each IP. If one of these IPs reaches a threshold configured for half open connections, then it will be blocked.

3. What are the recommended values

Usually, a TCP connection is resolved within a few milliseconds. First it is sent a SYN, then the server replies back with a SYN-ACK and finally, connecting client respond with an ACK. After that the connection is considered fully opened.

Nowadays, due to user demands, SEO profilers, etc, TCP connections must work under the 50ms, and the usually work under the 5ms and 20ms in order to be considered a good performance.

This gives an idea about how low are the possibilities to find several half open connections in SYN_RECV state for any given IP (for a short period of seconds). Both ends, server and connecting client, are interested in completing connections as soon as possible.

Considering all these elements, recommended maximum number of connections in half open state will not reach 100 at any time for a single IP. In general, any amount over 50 is already a big value. In that context, anything over 100 will be an indication that is an attack underway or there is a software that is not working as expected.

4. How it works and how can be configured

  1. Checker work in an automated way. You only have to check it is deployed. For that:

    image
    image.png1088x335 33.4 KB

  2. …then we click on Show machine’s checkers:

    image

  3. …inside list, search for syn_flood_checker:

    image
    image.png1050x50 8.2 KB

  4. To configure checker limits, simply click on checker:

    image
    image.png1050x50 9.01 KB

  5. Inside, click on Configure:

    image
    image.png1088x522 115 KB