TCP Syn Flood False Positives
Hello, support was useless on this, so hoping the community can help. We host a SaaS platform where suddenly only one of our clients is having intermittent issues access the site. It's very odd that only this client has problems all of a sudden. Anyway, fast forward after days of troubleshooting and during a packet monitoring session we see that packets from client IPs are occasionally dropped due to SYN flood protection. If we set Syn Flood Protection Mode to "Watch and Report"...the client has no issues. Obviously, we do not want to leave it this way, so how can we determine what to adjust to stay protected but make sure the client traffic is not interrupted? Here are the current settings:
Answers
Hi @CEAdmin ,
When the flood happens from the SaaS platform, you should be able to see in the event logs items specific to the TCP Syn flood - it should give information based on the flood. From there you can adjust the Attack threshold.
I can see from the screenshot the firewall suggested value is 10641 - this a rounded number calculated from the firewall from the traffic its seeing in its current uptime. If the large amount of packets from the Saas platform doesnt happen often, it might not be reflected in that number.
I can also see the the attack threshold was set to 16,000 but if you are still seeing issues, you will likely need to increase that number - I would keep and eye on the event logs the next time this happens as you can get more detailed information on the TCP syn flood than you saw with the packet monitor.
Thank you, @TonyA. The odd thing is we have seen very few syn flood attacks in the actual event log, and nothing from our client IPs during this time frame. We only noticed individual packets dropping when running the packet capture. Those don't seem to end up in the event log. Here is an example of one of those packet drops (redacted IP stuff). Sometimes the # after Syn protection is different, but the rest is the same. Is there anything we can glean from this?
Ethernet Header
Ether Type: IP(0x800), Src=[x.x.x.x], Dst=[x.x.x.x]
IP Packet Header
IP Type: TCP(0x6), Src=[x.x.x.x], Dst=[x.x.x.x]
TCP Packet Header
TCP Flags = [SYN,], Src=[30486], Dst=[443], Checksum=0xdd1f
Application Header
HTTPS
Value:[0]
DROPPED, Drop Code: 84(Syn Flood Protection(#1)), Module Id: 25(network), (Ref.Id: _3217_uyHtJcpfngKrRmv) 1:1)
Whats the logging level set in the event logs? If not on inform, change it to inform as it should give more info
Current level:
It is set to inform so that's good. The best path here is to test attack thresholds values and find a balance. Unfortunately there is no exception list feature with TCP floods so the only way I can see forward is finding an attack threshold value that would allow that traffic fine.
It is odd that its only one client that's having this issue. There might be an issue the way their traffic is forwarded to you that's causing a sudden large burst of packets.