D-Link DFL-1600 User Manual page 67

8.2. Services 47
a good idea, since it may cause the protected network vulnerable to many
types of attacks, e.g. DoS (Denial of Service) in particular.
To solve this problem, D-Link firewalls can be configured to pass an ICMP
error message only if it is related to an existing connection of a service.
SYN flood protection (SYN Relay)
A mechanism called "SYN Relay" can be enabled in the firewall to protect
the destination addresses used by a service from SYN flooding.
The SYN flood attack is launched by sending TCP connection requests
faster than a machine can process them. The attacker sends SYN request
to a server with spoofed source address, which will never reply to the
server's SYN/ACK. Each SYN request fills in a new TCP connection into
the server's connection table; when all the connections in the table are
waiting for relies and the table is full, the server will not accept any new
coming request. The requests from legitimate users are then ignored.
The "SYN Relay" mechanism counters the attacks by hiding the protected
sever behind the firewall. The firewall receives SYN request and makes sure
that the connection is valid (that is, the SYN/ACK can be replied from the
source) before sending a SYN packet to the server. If after a certain time,
no ACK is received by the firewall, the connection is aborted.
Application Layer Gateway (ALG)
An application layer gateway can be specified to handle different services.
More information can be found in 18 Application Layer Gateway (ALG).
For an ALG enabled service, the maximum numbers of sessions that are
permitted by using this service can be defined.
D-Link Firewalls User's Guide