Stopping Syn Flood Attacks - Watchguard Firebox X1000 User Manual

network. Although there is some gain to leaving IP options
enabled, the risk generally outweighs the benefit.
From Policy Manager:
1
On the toolbar, click the Default Packet Handling icon.
You can also, from Policy Manager, select Setup = > Intrusion
Prevention = > Default Packet Handling.
The Default Packet Handling dialog box appears.
2
Select the checkbox marked Block IP Options.

Stopping SYN Flood attacks

A SYN Flood attack is a type of Denial of Service (DoS)
attack that seeks to prevent your public services (such as
email and Web servers) from being accessible to users on
the Internet.
To understand how SYN Flood works, consider a normal
TCP connection. A user tries to connect by way of a Web
browser to your server by sending what is called a SYN
segment. Your Web server acknowledges the browser by
sending what is called a SYN+ACK segment. When the
browser sees the SYN+ACK, it sends an ACK segment. The
server is ready to accept the URL request from the browser
when it sees the ACK statement. However, until the ACK
segment has been received, the server is "stuck"; it knows
the browser wants to communicate, but the connection is
not yet established. Many servers in use today can handle
only a finite number of these half-way completed connec-
tions at a time. They are stored in a backlog until they are
completed or time out. When the server's backlog is full,
no new connections can be accepted.
A SYN Flood attack attempts to fill up the victim server's
backlog by sending a flood of SYN segments without ever
sending an ACK. When the backlog fills up, the server will
be unavailable to users.
The WatchGuard Firebox System can help defend your
servers against a SYN Flood attack by tracking the number
of SYNs that are sent without a following ACK. If this
number exceeds the threshold you define, the SYN Flood
User Guide
Default Packet Handling
181