How to configure syn-flood-protection-mode via ssh using Putty

03/26/2020 13 12955

DESCRIPTION:
How to configure syn-flood-protection-mode via ssh using Putty

RESOLUTION:

Scenario: How to configure syn-flood-protection-mode via ssh using Putty







 
Procedure

admin@C0EAE46CD900> config
config(C0EAE46CD900)# tcp
(config-tcp)# ?


TCP Commands:
 

1.  enforce-strict-compliance Strict compliance with RFC 793 and RFC 1122
2.  syn-attack-threshold Set Attack threshold (incomplete connection attempts / second).
3.  syn-flood-protection-mode Set TCP Syn Flood Protection Mode.

 

1. (config-tcp)#enforce-strict-compliance
 
Description:
Enforce strict TCP compliance with RFC 793 and RFC 1122   Select to ensure strict compliance with several TCP timeout rules. This setting maximizes TCP security, but it may cause problems with the Window Scaling feature for Windows Vista users.
 


2. (config-tcp)# syn-attack-threshold <5..200000>
 
Where:
 
 <5..200000> = Integer in the form: D OR 0xHHHHHHHH
 Example: 123
Example:
 
 syn-attack-threshold 300
 
Description:
The SYN Attack Threshold configuration options provide limits for SYN Flood activity before the device drops packets. The device gathers statistics on WAN TCP connections, keeping track of the maximum and average maximum and incomplete WAN connections per second. Out of these statistics, the device suggests a value for the SYN flood threshold. Note the two options in the section:
 


3. (config-tcp)# syn-flood-protection-mode

Description:
SYN/RST/FIN Flood protection helps to protect hosts behind the SonicWall from Denial of Service (DoS) or Distributed DoS attacks that attempt to consume the host's available resources by creating one of the following attack mechanisms: A SYN Flood Protection mode is the level of protection that you can select to defend against half-opened TCP sessions and high-frequency SYN packet transmissions. This feature enables you to set three different levels of SYN Flood Protection:
Watch and Report Possible SYN Floods   This option enables the device to monitor SYN traffic on all interfaces on the device and to log suspected SYN flood activity that exceeds a packet count threshold. The feature does not turn on the SYN Proxy on the device so the device forwards the TCP three-way handshake without modification. This is the least invasive level of SYN Flood protection. Select this option if your network is not in a high risk environment.

Proxy WAN Client Connections When Attack is suspected   This option enables the device to enable the SYN Proxy feature on WAN interfaces when the number of incomplete connection attempts per second surpasses a specified threshold. This method ensures the device continues to process valid traffic during the attack and that performance does not degrade. Proxy mode remains enabled until all WAN SYN flood attacks stop occurring or until the device blacklists all of them using the SYN Blacklisting feature. This is the intermediate level of SYN Flood protection. Select this option if your network experiences SYN Flood attacks from internal or external sources.
Always Proxy WAN Client Connections � This option sets the device to always use SYN Proxy. This method blocks all spoofed SYN packets from passing through the device. Note that this is an extreme security measure and directs the device to respond to port scans on all TCP ports because the SYN Proxy feature forces the device to respond to all TCP SYN connection attempts. This can degrade performance and can generate a false positive. Select this option only if your network is in a high risk environment.

Function Choices:
 always-proxy Always Proxy WAN client connections.
 proxy-suspect-attack Proxy WAN client connections when attack is suspected.
 watch-and-report Watch and report possible SYN floods

Example:
(config-tcp)# syn-flood-protection-mode always-proxy
(config-tcp)# commit

(config-tcp)# commit
% Applying changes...
% Changes made.
(config-tcp)# end