How to Prevent a SYN Flood Attack

How to spot a SYN Flood Attack

• High Volume of Incoming SYN Packets: An unexpected spike in SYN packets is a prime sign of a SYN flood. This is the main characteristic of the attack, where the attacker floods the server with SYN requests. 
• Unusually High Number of Half-Open TCP Connections: The target server will accumulate many incomplete connections, where the server is waiting for the final step of the handshake to complete, but the client never responds with the final ACK. 
• Resource Exhaustion: SYN flood attacks often lead to resource fatigue on the target server, as it is forced to allocate resources for each incomplete connection.
• Unusual Source IPs or IP Spoofing: Attackers often spoof the source IP addresses in a SYN flood; this leads to a high number of unique or suspicious IP addresses sending SYN requests to the target. 

Preventing a SYN Flood Attack

While Forcepoint offers numerous security capabilities, such as traffic behavior analysis and deep packet inspection (DPI) to analyze the content of incoming traffic and monitor overall network activity, we also provide specific features that protect against SYN Flood Attacks. These features include:

• Rate-Based DoS Protection: This limits the number of incoming SYN requests per second, helping to prevent SYN flood attacks by automatically blocking traffic that exceeds predefined policy thresholds, ensuring the server isn't overwhelmed by too many requests.
• Limit for Half-Open TCP Connections: This feature sets a threshold for the number of incomplete connections the firewall will allow, preventing the server from becoming flooded with half-open connections, which is a typical result of a SYN flood attack.
• Slow HTTP Request Sensitivity: This detects slow or delayed HTTP requests, which are sometimes used in combination with SYN floods to exhaust server resources. It helps to identify and block malicious traffic that attempts to tie up server resources with slow, incomplete HTTP transactions.
• SYN Flood Sensitivity: By specifically targeting SYN flood attacks, this feature detects unusually high rates of SYN packets and automatically triggers defenses to block or mitigate the attack, preventing the server from being overwhelmed with half-open connections.
• Slow HTTP Request Blacklist Timeout: When slow or malicious HTTP requests are detected, this feature adds offending IPs to a blacklist for a specified timeout period, preventing them from making further connections and mitigating the impact of SYN floods and other slow attacks.
• TCP Reset Sensitivity: This feature can detect abnormal TCP session resets (RST packets) and automatically reset malicious or incomplete connections, closing half-open sessions caused by SYN flood attacks and freeing up server resources.

By analyzing patterns and baselines for legitimate traffic, Forcepoint detects anomalies such as a surge in SYN requests or unusual request sources. When suspicious activity is detected, the system automatically flags potential SYN flood attempts, enabling prompt action to prevent damage before it can escalate.