According to the working principle of TCP/IP, only a certain amount of TCP/IP connections are allowed. Attackers exploit this to launch TCP flood attacks, which are divided into two types:
- SYN flood attacks
An attacker sends too many SYN packets to a target server for processing, exhausting the server’s resources and making the server unresponsive to legitimate traffic.
- ACK flood attacks
An attacker sends a target server too many ACK packets for processing, exhausting the server’s resources and making the server unresponsive to legitimate traffic.
The TCP flood protection function does not work on NSFOCUS WAF in mirroring mode. The TCP flood protection policy protects against SYN Flood attacks and ACK flood attacks based on thresholds specified for the two types of attacks.
NSFOCUS WAF counts the number of packets from each client per second. If the number of packets from a client exceeds the threshold, NSFOCUS WAF determines that an attack occurs, and starts protection against the attack.
To configure TCP flood protection on NSFOCUS WAF, follow these steps:
1. Enable TCP Flood Protection.
The Policy Enable-Disable module controls whether to enable or disable Network-Layer Access Control, TCP Flood Protection, ARP Spoofing Protection, ADS Collaboration, Transparent Transmission Protection and Reuse of TCP Sequence Number of Client. To make a specific policy take effect, you must first enable this policy.
Choose Security Management > Network-Layer Protection > Policy Enable-Disable, and click in the Operation column.
2. Configure TCP Flood Protection.
Choose Security Management > Network-Layer Protection > TCP Flood Protection, edit TCP flood protection parameters, and click OK.
Parameters for editing the TCP flood protection policy:
TCP flood protection logs can be viewed under Logs & Reports > Security Protection Logs > DDoS Protection Logs.