Description of ADS Attack Logs: SYN Flood Logs (Part 1)

Description of ADS Attack Logs: SYN Flood Logs (Part 1)

julho 20, 2023 | NSFOCUS

Introduction to SYN Flood

A three-way handshake is required to establish a TCP connection. First, the client sends a TCP SYN packet to the server. The server responds to the client request with an SYN-ACK packet. Then the server waits and expects an ACK packet from the client. At this time, the connection is in the SYN_RECV state. The TCP connection remains half-open until the server receives an ACK packet from the client or the TCP timer times out.

The server can handle a limited number of concurrent half-open connections, for it has limited resources. In SYN flood attacks, attackers send a large number of SYN packets with forged source IP addresses and ports to the targeted server. An overwhelming number of half-open connections will exhaust the server’s resources, and eventually, the server cannot respond to requests from legitimate clients, leading to a denial of service.

Description of SYN Flood Protection Logs

  1. Invalid_SYN_Packet

Choose Policy > Anti-DDoS > Protection Groups > Protection Groups, and enable Invalid SYN Packet Filtering.

Invalid SYN packets will be filtered out, such as 64-byte SYN packets.

When attack traffic is generated, captured packets in ADS. In the example, you can see that the TCP header does not contain the option field. This type of SYN packet is called a malformed packet. After the Invalid SYN Packet Filtering policy is triggered, the SYN packet will be dropped.

Choose Logs > Attack Log > Attack Details to view log details, and you can see that the Invalid_SYN_Packet policy is triggered.

On the Real-Time Monitoring page, you can see that the traffic is dropped.

  1. Port_Check

After the port check policy is configured and the port check function is enabled, the system checks the data arriving at the specified port and continues to process the data arriving at other ports by using other algorithms in Protection Groups.

Choose Policy > Protection Groups > Protection Groups, and configure the port check policy.

When attack traffic is generated, captured packets in ADS. The destination ports of these packets are the same as the ports in the above-mentioned port check policy.

If the ADS port check policy is matched. Choose Logs > Attack Log > Attack Details to view log details, and you can see that the Port_Check policy is triggered.

On the Real-Time Monitoring page, you can see that the traffic is dropped.