Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding SYN Protector Rulebase Modes

    Table 1 summarizes SYN Protector rulebase modes.

    Table 1: SYN Protector Rulebase Modes




    The IDP Series device takes no action and does not participate in the three-way handshake.


    In passive mode, the IDP Series device monitors session startup. If the client does not send an ACK within a timeout period, the IDP Series device sends a TCP reset.


    In relay mode, the IDP Series device acts as a relay for the connection establishment, performing the three-way handshake with the client on behalf of the server. When the IDP Series device receives the initial SYN packet, it returns a SYN/ACK packet with a SYN cookie. A SYN cookie is a 32-bit number that is put into the TCP sequence number field of a packet. If the client replies with an ACK packet with the appropriate cookie, the IDP Series device completes the three-way handshake and allows the session to become established. If the IDP Series device does not receive an appropriate ACK packet from the client, as is the case in a SYN flood attack, the IDP Series device does not establish the connection. Relay mode guarantees that the server allocates resources only to connections that are already in an established state. The relay is transparent to both the client and server.

    Relay mode has the following limitations:

    • When the ACK packet from the client is lost, it can potentially lead to an unsynchronized state between client and server.
    • Because the IDP Series device does not save TCP options found in SYN packets, TCP extensions used for efficient transaction-oriented service (T/TCP) and Selective Acknowledgment (SACK), or protocols such as BGP, have a problem when SYN flooding is detected and the IDP Series device initiates the proxy TCP handshake.
    • Relay mode can be susceptible to ACK flooding because the IDP Series device must check for the validity of a cookie in the ACK messages.

    Note: Relay mode might not work as expected for MPLS traffic. When the IDP engine processes MPLS traffic, it stores the MPLS label information for traffic in each direction. In the case of traffic that matches SYN Protector rules in relay mode, the IDP Series device is programmed to send a SYN-ACK before the traffic has reached the server. In these cases, the IDP engine does not have server-to-client MPLS label information. Therefore, the SYN-ACK packet does not include an MPLS label. Some MPLS routers can add packets without a label to an existing MPLS tunnel; others drop such packets.

    Tip: You can use two rules to protect a large number of servers. Configure rule 1 to match servers you do not need to protect, and set Mode to None. Configure rule 2 to match any traffic and set Mode to Passive or Relay, as you prefer.

    Published: 2011-02-08