When the device applies a SYN Proxy to a TCP connection, it responds to the initial SYN packet with a manufactured SYN/ACK reply, waiting for the ACK in response before forwarding the connection request to the server. Devices attacking with SYN Flood packets do not respond to the SYN/ACK reply. The firewall identifies them by their lack of this type of response and blocks their spoofed connection attempts. SYN Proxy forces the firewall to manufacture a SYN/ACK response without knowing how the server will respond to the TCP options normally provided on SYN/ACK packets.
To provide more control over the options sent to WAN clients when in SYN Proxy mode, users can configure the Minimum Segment Size MSS.
RESOLUTION FOR SONICOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.x and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
1. Login to the SonicWall management GUI.
2. Navigate to Network|Firewall|Flood Protection
3. Enable Limit MSS sent to WAN clients (when connections are proxied) this will allow you to enter the maximum Minimum Segment Size value. The default value is 1460.
Note: When using Proxy WAN client connections, remember to set these options conservatively since it only affect connections when a SYN Flood takes place.
RESOLUTION FOR SONICOS 6.X
1. Login to the SonicWall management GUI.
2. Navigate to Firewall Settings | Flood Protection page.