Intrusion Prevention

tcp_syn_flood

Description

This indicates the rate of TCP SYN packet to an IP address is above specified threshold level.
This indicate a possible syn flood attack that is is a TCP-based attack, and is one of the more severe Denial-of-Service attacks. It blocks the target system from legitimate access.
A TCP system (server) on the Internet usually assumes a trust with the system (client) that try to connect to it using TCP. A TCP connection establishment process normally takes an exchange of three TCP packets: an initial SYN packet from a client, a SYN-ACK packet from a server, and a SYN-ACK-ACK packet from the client.
Attackers can send a series of legal SYN packets with faked source IP addresses to the target system. Since the IP addresses of the SYN packets are faked, the SYN-ACK-ACK packet will never come to the target system. Thus, the target system will not be able to establish the connections. However, until the TCP connection establishment process times out, the target system allocates a disproportional amount of system resources (a slot in the listen queue, memory to maintain connection information, CPU and network bandwidth to retransmit the SYN-ACK packet, etc.) for the pending TCP connections. If there are enough such half-open TCP connections, the target system will run out of resources, not be able to accept new TCP connections including legitimate requests, hence, fail in providing TCP-based services.

Affected Products

Any unprotected system that is connected to the Internet and provides TCP-based services

Impact

Denial of Service

Recommended Actions

Identify the cause of the abnormal traffic.
Block the abnormal traffic using FortiGate.