Attacks from untrusted WAN networks usually occur on one or more servers protected by the firewall. SonicOS provides several protections against SYN Floods generated from two different environments: trusted (internal) or untrusted (external) networks. Instead, it uses a cryptographic calculation (rather than randomness) to arrive at SEQr. With stateless SYN Cookies, the SonicWALL does not have to maintain state on half-opened connections. The method of SYN flood protection employed starting with SonicOS uses stateless SYN Cookies, which increase reliability of SYN Flood detection, and also improves overall resource utilization on the SonicWALL. Layer-Specific SYN Flood Protection Methods SYN Flood Protection Using Stateless Cookies The following sections detail some SYN Flood protection methods: Sending TCP SYN packets, RST packets, or FIN packets with invalid or spoofed IP addresses.Ĭreating excessive numbers of half-opened TCP connections. SYN/RST/FIN Flood protection helps to protect hosts behind the SonicWALL from Denial of Service (DoS) or Distributed DoS attacks that attempt to consume the host’s available resources by creating one of the following attack mechanisms: This setting is also used to determine the amount of time (calculated as twice the Maximum Segment Lifetime, or 2MSL) that an actively closed TCP connection remains in the TIME_WAIT state to ensure that the proper FIN / ACK exchange has occurred to cleanly close the TCP connection. Maximum Segment Lifetime (seconds) – Determines the number of seconds that any TCP packet is valid before it expires. Note: Setting excessively long connection time-outs will slow the reclamation of stale resources, and in extreme cases could lead to exhaustion of the connection cache. The default value is 5 minutes, the minimum value is 1 minute, and the maximum value is 999 minutes. If a TCP session is active for a period in excess of this setting, the TCP connection will be cleared by the SonicWALL. This setting maximizes TCP security, but it may cause problems with the Window Scaling feature for Windows Vista users.Įnable TCP handshake enforcement – Require a successful three-way TCP handshake for all TCP connections.Įnable TCP checksum enforcement – If an invalid TCP checksum is calculated, the packet will be dropped.ĭefault TCP Connection Timeout – The default time assigned to Access Rules for TCP traffic. The page is divided into four sectionsĬonfiguring Layer 2 SYN/RST/FIN Flood ProtectionĮnforce strict TCP compliance with RFC 793 and RFC 1122 – Select to ensure strict compliance with several TCP timeout rules. The Firewall Settings > Flood Protection page lets you view statistics on TCP Traffic through the security appliance and manage TCP traffic settings.
0 kommentar(er)
