TCP Tab

Topics:
TCP Settings
Layer 3 SYN Flood Protection - SYN Proxy Tab
Configuring Layer 3 SYN Flood Protection
Configuring Layer 2 SYN/RST/FIN/TCP Flood Protection – MAC Blacklisting
WAN DDOS Protection (Non-TCP Floods)

TCP Settings
Enforce strict TCP compliance with RFC 793 and RFC 1122 – Ensures strict compliance with several TCP timeout rules. This setting maximizes TCP security, but it may cause problems with the Windows Scaling feature for Windows Vista users. This option is not selected by default.
Enable TCP handshake enforcement – Requires a successful three-way TCP handshake for all TCP connections. This option, available only if the Enforce strict TCP compliance with RFC 793 and RFC 1122, is not selected by default.
Enable TCP checksum enforcement – If an invalid TCP checksum is calculated, the packet is dropped. This option is not selected by default.
Enable TCP handshake timeout – Enforces the timeout period (in seconds) for a three-way TCP handshake to complete its connection. If the three-way TCP handshake does not complete in the timeout period, it is dropped. This option is selected by default.
TCP Handshake Timeout (seconds): The maximum time a TCP handshake has to complete the connection. The default is 30 seconds.
Default TCP Connection Timeout – The default time assigned to Access Rules for TCP traffic. If a TCP session is active for a period in excess of this setting, the TCP connection is cleared by the firewall. The default value is 15 minutes, the minimum value is 1 minute, and the maximum value is 999 minutes.
* 
NOTE: Setting excessively long connection time-outs slows the reclamation of stale resources, and in extreme cases, could lead to exhaustion of the connection cache.
Maximum Segment Lifetime (seconds) – Determines the number of seconds that any TCP packet is valid before it expires. This setting is also used to determine the amount of time (calculated as twice the Maximum Segment Lifetime, or 2MSL) that an actively closed TCP connection remains in the TIME_WAIT state to ensure that the proper FIN / ACK exchange has occurred to cleanly close the TCP connection. The default value is 8 seconds, the minimum value is 1 second, and the maximum value is 60 seconds.
Enable Half Open TCP Connections Threshold – Denies new TCP connections if the high-water mark of TCP half-open connections has been reached. By default, the half-open TCP connection is not monitored, so this option is not selected by default.
Maximum Half Open TCP Connections – Specifies the maximum number of half-open TCP connections. The default maximum is half the number of maximum connection caches.

Layer 3 SYN Flood Protection - SYN Proxy Tab

Topics:
SYN Flood Protection Methods
Configuring Layer 3 SYN Flood Protection
SYN Flood Protection Methods

SYN/RST/FIN flood protection helps to protect hosts behind the firewall from Denial of Service (DoS) or Distributed DoS attacks that attempt to consume the host’s available resources by creating one of the following attack mechanisms:
Sending TCP SYN packets, RST packets, or FIN packets with invalid or spoofed IP addresses.
Creating excessive numbers of half-opened TCP connections.

The following sections detail some SYN flood protection methods:
SYN Flood Protection Using Stateless Cookies
Layer-Specific SYN Flood Protection Methods
Understanding SYN Watchlists
Understanding a TCP Handshake
SYN Flood Protection Using Stateless Cookies

The method of SYN flood protection employed starting with SonicOS uses stateless SYN Cookies, which increase reliability of SYN Flood detection, and also improves overall resource utilization on the firewall. With stateless SYN Cookies, the firewall does not have to maintain state on half-opened connections. Instead, it uses a cryptographic calculation (rather than randomness) to arrive at SEQr.

Layer-Specific SYN Flood Protection Methods

SonicOS provides several protections against SYN Floods generated from two different environments: trusted (internal) or untrusted (external) networks. Attacks from untrusted WAN networks usually occur on one or more servers protected by the firewall. Attacks from the trusted LAN networks occur as a result of a virus infection inside one or more of the trusted networks, generating attacks on one or more local or remote hosts.

To provide a firewall defense to both attack scenarios, SonicOS provides two separate SYN Flood protection mechanisms on two different layers. Each gathers and displays SYN Flood statistics and generates log messages for significant SYN Flood events.
SYN Proxy (Layer 3) – This mechanism shields servers inside the trusted network from WAN-based SYN flood attacks, using a SYN Proxy implementation to verify the WAN clients before forwarding their connection requests to the protected server. You can enable SYN Proxy only on WAN interfaces.
SYN Blacklisting (Layer 2) – This mechanism blocks specific devices from generating or forwarding SYN flood attacks. You can enable SYN Blacklisting on any interface.
Understanding SYN Watchlists

The internal architecture of both SYN Flood protection mechanisms is based on a single list of Ethernet addresses that are the most active devices sending initial SYN packets to the firewall. This list is called a SYN watchlist. Because this list contains Ethernet addresses, the device tracks all SYN traffic based on the address of the device forwarding the SYN packet, without considering the IP source or destination address.

Each watchlist entry contains a value called a hit count. The hit count value increments when the device receives the an initial SYN packet from a corresponding device. The hit count decrements when the TCP three-way handshake completes. The hit count for any particular device generally equals the number of half-open connections pending since the last time the device reset the hit count. The device default for resetting a hit count is once a second.

The thresholds for logging, SYN Proxy, and SYN Blacklisting are all compared to the hit count values when determining if a log message or state change is necessary. When a SYN Flood attack occurs, the number of pending half-open connections from the device forwarding the attacking packets increases substantially because of the spoofed connection attempts. When you set the attack thresholds correctly, normal traffic flow produces few attack warnings, but the same thresholds detect and deflect attacks before they result in serious network degradation.

Understanding a TCP Handshake

A typical TCP handshake (simplified) begins with an initiator sending a TCP SYN packet with a 32-bit sequence (SEQi) number. The responder then sends a SYN/ACK packet acknowledging the received sequence by sending an ACK equal to SEQi+1 and a random, 32-bit sequence number (SEQr). The responder also maintains state awaiting an ACK from the initiator. The initiator’s ACK packet should contain the next sequence (SEQi+1) along with an acknowledgment of the sequence it received from the responder (by sending an ACK equal to SEQr+1). The exchange looks as follows:

1
Initiator -> SYN (SEQi=0001234567, ACKi=0) -> Responder
2
Initiator <- SYN/ACK (SEQr=3987654321, ACKr=0001234568) <- Responder
3
Initiator -> ACK (SEQi=0001234568, ACKi=3987654322) -> Responder

Because the responder has to maintain state on all half-opened TCP connections, it is possible for memory depletion to occur if SYNs come in faster than they can be processed or cleared by the responder. A half-opened TCP connection did not transition to an established state through the completion of the three-way handshake. When the firewall is between the initiator and the responder, it effectively becomes the responder, brokering, or proxying, the TCP connection to the actual responder (private host) it is protecting.

Configuring Layer 3 SYN Flood Protection

A SYN Flood Protection mode is the level of protection that you can select to defend against half-opened TCP sessions and high-frequency SYN packet transmissions. This feature enables you to set three different levels of SYN Flood Protection.

To configure SYN Flood Protection features:
1
Go to the Layer 3 SYN Flood Protection - SYN Proxy section of the Firewall Settings > Flood Protection page.

2
From the SYN Flood Protection Mode drop-down menu, select the type of protection mode:
Watch and Report Possible SYN Floods – Enables the device to monitor SYN traffic on all interfaces on the device and to log suspected SYN flood activity that exceeds a packet count threshold. The feature does not turn on the SYN Proxy on the device so the device forwards the TCP three-way handshake without modification.

This is the least invasive level of SYN Flood protection. Select this option if your network is not in a high-risk environment.
Proxy WAN Client Connections When Attack is Suspected – Enables the device to enable the SYN Proxy feature on WAN interfaces when the number of incomplete connection attempts per second surpasses a specified threshold. This method ensures the device continues to process valid traffic during the attack and that performance does not degrade. Proxy mode remains enabled until all WAN SYN flood attacks stop occurring or until the device blacklists all of them using the SYN Blacklisting feature.

This is the intermediate level of SYN Flood protection. Select this option if your network experiences SYN Flood attacks from internal or external sources.
Always Proxy WAN Client Connections – Sets the device to always use SYN Proxy. This method blocks all spoofed SYN packets from passing through the device.

This is an extreme security measure that directs the device to respond to port scans on all TCP ports because the SYN Proxy feature forces the device to respond to all TCP SYN connection attempts. This can degrade performance and can generate a false positive. Select this option only if your network is in a high-risk environment.

3
Select the SYN Attack Threshold configuration options to provide limits for SYN Flood activity before the device drops packets. The device gathers statistics on WAN TCP connections, keeping track of the maximum and average maximum and incomplete WAN connections per second. Out of these statistics, the device suggests a value for the SYN flood threshold.
Suggested value calculated from gathered statistics – The suggested attack threshold based on WAN TCP connection statistics.
Attack Threshold (Incomplete Connection Attempts/Second) – Enables you to set the threshold for the number of incomplete connection attempts per second before the device drops packets at any value between 5 and 200,000. The default is the Suggested value calculated from gathered statistics.
4
Select the SYN-Proxy options to provide more control over the options sent to WAN clients when in SYN Proxy mode.
* 
NOTE: The options in this section are not available if Watch and report possible SYN floods is selected for SYN Flood Protection Mode.

When the device applies a SYN Proxy to a TCP connection, it responds to the initial SYN packet with a manufactured SYN/ACK reply, waiting for the ACK in response before forwarding the connection request to the server. Devices attacking with SYN Flood packets do not respond to the SYN/ACK reply. The firewall identifies them by their lack of this type of response and blocks their spoofed connection attempts. SYN Proxy forces the firewall to manufacture a SYN/ACK response without knowing how the server will respond to the TCP options normally provided on SYN/ACK packets.
All LAN/DMZ servers support the TCP SACK option – Enables SACK (Selective Acknowledgment) where a packet can be dropped and the receiving device indicates which packets it received. This option is not enabled by default. Enable this checkbox only when you know that all servers covered by the firewall accessed from the WAN support the SACK option.
Limit MSS sent to WAN clients (when connections are proxied) – Enables you to enter the maximum MSS (Minimum Segment Size) value. This sets the threshold for the size of TCP segments, preventing a segment that is too large to be sent to the targeted server. For example, if the server is an IPsec gateway, it may need to limit the MSS it received to provide space for IPsec headers when tunneling traffic. The firewall cannot predict the MSS value sent to the server when it responds to the SYN manufactured packet during the proxy sequence. Being able to control the size of a segment, enables you to control the manufactured MSS value sent to WAN clients. This option is not selected by default.

If you specify an override value for the default of 1460, a segment of that size or smaller is sent to the client in the SYN/ACK cookie. Setting this value too low can decrease performance when the SYN Proxy is always enabled. Setting this value too high can break connections if the server responds with a smaller MSS value.
Maximum TCP MSS sent to WAN clients. The value of the MSS. The default is 1460, the minimum value is 32, and the maximum is 1460.
* 
NOTE: When using Proxy WAN client connections, remember to set these options conservatively as they only affect connections when a SYN Flood takes place. This ensures that legitimate connections can proceed during an attack.
Always log SYN packets received. Logs all SYN packets received.

Layer 2 SYN/RST/FIN Flood Protection - MAC Blacklisting

The SYN/RST/FIN Blacklisting feature lists devices that exceeded the SYN, RST, and FIN Blacklist attack threshold. The firewall device drops packets sent from blacklisted devices early in the packet evaluation process, enabling the firewall to handle greater amounts of these packets, providing a defense against attacks originating on local networks while also providing second-tier protection for WAN networks.

Devices cannot occur on the SYN/RST/FIN Blacklist and watchlist simultaneously. With blacklisting enabled, the firewall removes devices exceeding the blacklist threshold from the watchlist and places them on the blacklist. Conversely, when the firewall removes a device from the blacklist, it places it back on the watchlist. Any device whose MAC address has been placed on the blacklist will be removed from it approximately three seconds after the flood emanating from that device has ended.

Configuring Layer 2 SYN/RST/FIN/TCP Flood Protection – MAC Blacklisting
Threshold for SYN/RST/FIN flood blacklisting (SYNs / Sec) – Specifies he maximum number of SYN, RST, FIN, and TCP packets allowed per second. The minimum is 10, the maximum is 800000, and default is 1,000. This value should be larger than the SYN Proxy threshold value because blacklisting attempts to thwart more vigorous local attacks or severe attacks from a WAN network.
* 
NOTE: This option cannot be modified unless Enable SYN/RST/FIN/TCP flood blacklisting on all interfaces is enabled.
Enable SYN/RST/FIN/TCP flood blacklisting on all interfaces – Enables the blacklisting feature on all interfaces on the firewall. This option is not selected by default. When it is selected, these options become available:
Never blacklist WAN machines – Ensures that systems on the WAN are never added to the SYN Blacklist. This option is recommended as leaving it cleared may interrupt traffic to and from the firewall’s WAN ports. This option is not selected by default.
Always allow Dell SonicWALL management traffic – Causes IP traffic from a blacklisted device targeting the firewall’s WAN IP addresses to not be filtered. This allows management traffic and routing protocols to maintain connectivity through a blacklisted device. This option is not selected by default.

WAN DDOS Protection (Non-TCP Floods)

The WAN DDOS Protection (Non-TCP Floods) section is a deprecated feature that has been replaced by UDP Flood Protection and ICMP Flood Protection as described in UDP Tab and ICMP Tab , respectively.

* 
IMPORTANT: Dell SonicWALL recommends that you do not use the WAN DDOS Protection feature, but that you use UDP Flood Protection and ICMP Flood Protection instead.

TCP Traffic Statistics

Table 72 describes the entries in the TCP Traffic Statistics table. To clear and restart the statistics displayed by a table, click the Clear Stats icon for the table.

 

Table 72. TCP Traffic Statistics

This statistic

Is incremented/displays

Connections Opened

When a TCP connection initiator sends a SYN, or a TCP connection responder receives a SYN.

Connections Closed

When a TCP connection is closed when both the initiator and the responder have sent a FIN and received an ACK.

Connections Refused

When a RST is encountered, and the responder is in a SYN_RCVD state.

Connections Aborted

When a RST is encountered, and the responder is in some state other than SYN_RCVD.

Connection Handshake Error

When a handshake error is encountered.

Connection Handshake Timeouts

When a handshake times out.

Total TCP Packets

With every processed TCP packet.

Validated Packets Passed

When:
A TCP packet passes checksum validation (while TCP checksum validation is enabled).
A valid SYN packet is encountered (while SYN Flood protection is enabled).
A SYN Cookie is successfully validated on a packet with the ACK flag set (while SYN Flood protection is enabled).

Malformed Packets Dropped

When:
TCP checksum fails validation (while TCP checksum validation is enabled).
The TCP SACK Permitted option is encountered, but the calculated option length is incorrect.
The TCP MSS (Maximum Segment Size) option is encountered, but the calculated option length is incorrect.
The TCP SACK option data is calculated to be either less than the minimum of 6 bytes, or modulo incongruent to the block size of 4 bytes.
The TCP option length is determined to be invalid.
The TCP header length is calculated to be less than the minimum of 20 bytes.
The TCP header length is calculated to be greater than the packet’s data length.

Invalid Flag Packets Dropped

When a:
Non-SYN packet is received that cannot be located in the connection-cache (while SYN Flood protection is disabled).
Packet with flags other than SYN, RST+ACK ,or SYN+ACK is received during session establishment (while SYN Flood protection is enabled).
TCP XMAS Scan is logged if the packet has FIN, URG, and PSH flags set.
TCP FIN Scan is logged if the packet has the FIN flag set.
TCP Null Scan is logged if the packet has no flags set.
New TCP connection initiation is attempted with something other than just the SYN flag set.
Packet with the SYN flag set is received within an established TCP session.
Packet without the ACK flag set is received within an established TCP session.

Invalid Sequence Packets Dropped

When a:
Packet within an established connection is received where the sequence number is less than the connection’s oldest unacknowledged sequence.
Packet within an established connection is received where the sequence number is greater than the connection’s oldest unacknowledged sequence + the connection’s last advertised dialog size.

Invalid Acknowledgement Packets Dropped

When an invalid acknowledgement packet is dropped.

Max Incomplete WAN Connections / sec

When a:
Packet is received with the ACK flag set, and with neither the RST or SYN flags set, but the SYN Cookie is determined to be invalid (while SYN Flood protection is enabled).
Packet’s ACK value (adjusted by the sequence number randomization offset) is less than the connection’s oldest unacknowledged sequence number.
Packet’s ACK value (adjusted by the sequence number randomization offset) is greater than the connection’s next expected sequence number.

Average Incomplete WAN Connections / sec

The average number of incomplete WAN connections per second.

SYN Floods In Progress

When a SYN flood is detected.

RST Floods In Progress

When a RST flood is detected.

FIN Floods In Progress

When a FIN flood is detected.

TCP Floods In Progress

When a TCP flood is detected.

Total SYN, RST, FIN or TCP Floods Detected

The total number of floods (SYN, RST, FIN, and TCP) detected.

TCP Connection SYN-Proxy State (WAN only)

For WAN only, whether the TCP connection SYN-proxy is enabled.

Current SYN-Blacklisted Machines

When a device is listed on the SYN blacklist.

Current RST-Blacklisted Machines

When a device is listed on the RST blacklist.

Current FIN-Blacklisted Machines

When a device is listed on the FIN blacklist.

Current TCP-Blacklisted Machines

When a device is listed on the TCP blacklist.

Total SYN-Blacklisting Events

When a SYN blacklisting event is detected.

Total RST-Blacklisting Events

When a RST blacklisting event is detected.

Total FIN-Blacklisting Events

When a FIN blacklisting event is detected.

Total TCP-Blacklisting Events

When a TCP blacklisting event is detected.

Total SYN Blacklist Packets Rejected

The total number of SYN packets rejected by SYN blacklisting.

Total RST Blacklist Packets Rejected

The total number of RST packets rejected by SYN blacklisting.

Total FIN Blacklist Packets Rejected

The total number of FIN packets rejected by SYN blacklisting.

Total TCP Blacklist Packets Rejected

The total number of TCP packets rejected by SYN blacklisting.

Invalid SYN Flood Cookies Received

When a SNY flood cookie is received.

WAN DDOS Filter State

Whether the DDOS filter is enabled or disabled.

WAN DDOS Filter – Packets Rejected

When a WAN DDOS Filter rejects a packet.

WAN DDOS Filter – Packets Leaked

 

WAN DDOS Filter – Allow List Count