Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring SYN Protector Rulebase Rules (NSM Procedure)

    The SYN-Protector rulebase triggers actions when the IDP engine detects traffic that has properties of SYN-flood attacks.

    Figure 1 shows the SYN Protector rulebase in the NSM security policy editor, where you can modify SYN Protector rules. Table 1 describes the rule settings you can configure.

    Figure 1: NSM Security Policy Editor: SYN Protector Rulebase

    Image s036705.gif

    To create SYN Protector rulebase rules:

    1. In the NSM navigation tree, select Policy Manager > Security Policies.
    2. Select the security policy to which you want to add SYN Protector rulebase rules.
    3. Add the SYN Protector rulebase by clicking the + icon in the upper right region of the policy viewer and selecting Add SYN Protector Rulebase.
    4. Add a rule by clicking the + icon within the rules viewer.
    5. Modify settings by right-clicking the table cell for the setting and making your selection.
    6. Click OK to save your changes.

    Table 1: SYN Protector Rulebase Rule Properties




    Adds, deletes, copies, or reorders rules. Right-click the table cell for the rule number and make your selection.


    Sets match criteria for source, destination, and service.

    Note: We recommend that you do not change the default setting in the Services field: TCP-Any.


    None–Turns off the SYN Protector rule.

    Passive–Enables passive mode. In passive mode, the IDP system monitors session startup. If the client does not send an ACK within a timeout period, the IDP engine sends a TCP reset.

    Relay–Enables relay mode. In relay mode, the IDP system performs the three-way handshake with the client host on behalf of the server. Relay mode guarantees that the server allocates resources only to connections that are already in an ESTABLISHED state. The relay is transparent to both the client host and the server.

    Note: Relay mode might not work as expected for MPLS traffic. When the IDP engine processes MPLS traffic, it stores the MPLS label information for traffic in each direction. In the case of traffic that matches SYN Protector rules in relay mode, the IDP system is programmed to send a SYN-ACK before the traffic has reached the server. In these cases, the IDP engine does not have server-to-client MPLS label information. Therefore, the SYN-ACK packet does not include an MPLS label. Some MPLS routers can add packets without a label to an existing MPLS tunnel; others drop such packets.


    Sets logging options.

    Note: Packet capture is not available for SYN Protector rulebase rules.

    VLAN Tag

    Sets match criteria for VLAN tags.


    Sets severity ratings.

    Install On

    Specifies target IDP Series devices for the rule. By default, IDP security policy rules can be applied to any IDP Series device. Right-click the table cell and select Select Target to display a dialog box where you can specify the IDP Series devices to which the rule can be installed.


    Adds notations about the rule. This setting is optional. Right-click the table cell and select Edit Comments to display a dialog box where you can make notations about the rule. Comments do not affect the functionality of the security policy rule.

    When the SYN Protector rulebase is enabled, the IDP engine detects traffic that exceeds the traffic thresholds you set as runtime parameters. Figure 2 shows the SYN protector detection settings in the NSM Device Manager configuration editor.

    Figure 2: NSM Device Manager: Sensor Settings > Run-Time Parameters

    Image s036725.gif

    Published: 2011-02-08