Firewall Settings > Flood Protection
740
SonicOS 5.8.1 Administrator Guide
• SACK (Selective Acknowledgment) – This parameter controls whether or not Selective
ACK is enabled. With SACK enabled, a packet or series of packets can be dropped, and
the received informs the sender which data has been received and where holes may exist
in the data.
• MSS (Minimum Segment Size) – This sets the threshold for the size of TCP segments,
preventing a segment that is too large to be sent to the targeted server. For example, if the
server is an IPsec gateway, it may need to limit the MSS it received to provide space for
IPsec headers when tunneling traffic. The firewall cannot predict the MSS value sent to the
server when it responds to the SYN manufactured packet during the proxy sequence. Being
able to control the size of a segment, enables you to control the manufactured MSS value
sent to WAN clients.
The SYN Proxy Threshold region cont
ains the following options:
• All LAN/DMZ servers support the TCP SACK option – This checkbox enables Selective
ACK where a packet can be dropped and the receiving device indicates which packets it
received. Enable this checkbox only when you know that all servers covered by the firewall
accessed from the WAN support the SACK option.
• Limit MSS sent to WAN clients (when connections are proxied) – Enables you to enter
the maximum Minimum Segment Size value. If you specify an override value for the default
of 1460, this indicates that a segment of that size or smaller will be sent to the client in the
SYN/ACK cookie. Setting this value too low can decrease performance when the SYN
Proxy is always enabled. Setting this value too high can break connections if the server
responds with a smaller MSS value.
–
Maximum TCP MSS sent to WAN clients. The value of the MSS. The default is 1460.
Note When using Proxy WAN client connections, remember to set these options conservatively
since they only affect connections when a SYN Flood takes place. This ensures that
legitimate connections can proceed during an attack.
• Always log SYN packets received. Logs all SYN packets received.
Configuring Layer 2 SYN/RST/FIN Flood Protection
The SYN/RST/FIN Blacklisting feature is a list that contains devices that exceeded the SYN,
RST, and FIN Blacklist attack threshold. The firewall device drops packets sent from blacklisted
devices early in the packet evaluation process, enabling the firewall to handle greater amounts
of these packets, providing a defense against attacks originating on local networks while also
providing second-tier protection for WAN networks.
Devices cannot occur on the SYN/RST/FIN Blacklist and watchlist simultaneously. With
blacklisting enabled, the firewall removes devices exceeding the blacklist threshold from the
watchlist and places them on the blacklist. Conversely, when the firewall removes a device from
the blacklist, it places it back on the watchlist. Any device whose MAC address has been placed
on the blacklist will be removed from it approximately three seconds after the flood emanating
from that device has ended.
