How To Change TCP Minimum Segment Size MSS Under Flood Protection
03/26/2020 17 14114
When the device applies a SYN Proxy to a TCP connection, it responds to the initial SYN packet with a manufactured SYN/ACK reply, waiting for the ACK in response before forwarding the connection request to the server. Devices attacking with SYN Flood packets do not respond to the SYN/ACK reply. The firewall identifies them by their lack of this type of response and blocks their spoofed connection attempts. SYN Proxy forces the firewall to manufacture a SYN/ACK response without knowing how the server will respond to the TCP options normally provided on SYN/ACK packets.
To provide more control over the options sent to WAN clients when in SYN Proxy mode, users can configure the Minimum Segment Size MSS.
1. Login to the SonicWall management GUI.
2. Navigate to Firewall Settings | Flood Protection page.
3. Enable Limit MSS sent to WAN clients (when connections are proxied) this will allow you to enter the maximum Minimum Segment Size value. The default value is 1460.
Note: When using Proxy WAN client connections, remember to set these options conservatively since it only affect connections when a SYN Flood takes place.