• The TCP SYNC attack, also known as a "half-open attack", is an attack against TCP network connections. The attacker abuses the three-way handshake of TCP. In this type of attack, many half-open TCP connections are created on the server. This ties up resources on the server that are no longer available for actual use.

In order to better understand how the protection works, I will take a brief look back at how the normal TCP connection setup works. TCP is a connection-oriented protocol. This means that client and server first have to negotiate a TCP connection before the actual data can be exchanged. The three-way handshake is used to establish the TCP connection:

  • The client sends a SYN packet ("synchronise") to the server. 
  • The server replies with a SYN/ACK packet (ACK = "acknowledge") and creates a data structure called "Transmission Control Block" (TCB) for the connection in the SYN backlog. 
  • The client answers the SYN/ACK packet with an ACK packet and thus completes the handshake. After that, the connection is ready.

During a SYN flood attack, there is a massive disruption of the TCP connection setup: 

  • The attacker sends a SYN packet to the server and spools its IP address. 
  • The server creates a transmission control block data structure for the half-open connection in the SYN backlog. The TCB occupies memory on the server. Furthermore, the size of the SYN backlog is limited. 
  • The server sends a SYN/ACK packet to the spoofed IP address of the attacker. 
  • Since no ACK packet is received from the attacker to confirm the connection, the server sends further SYN/ACK packets to the supposed client and keeps the connection in a half-open state. 
  • While the server continues to wait for a response, new SYN packets from the attacker are already arriving and have to be entered into the SYN backlog. 
  • At a certain point, there is no more space in the SYN backlog for further half-open connections. The server then discards incoming SYN packets and is no longer accessible from the outside.

With the configuration steps shown here, it is possible to protect against TCP SYNC attacks for HTTP. In my example, I would like to trigger the following values:

  • conn-max 100
  • embryonic-conn-max 200
  • per-client-embryonic-max 10
  • per-client-max 5
  • random-sequence-number enable
  • timeout embryonic 0:0:45
  • timeout half-closed 0:25:0
  • timeout tcp 2:0:0

The corresponding configuration example would look like this:

conf t
class-map tcp-syn
match port tcp eq www
policy-map PWAN
class tcp-syn
set connection conn-max 100
set connection embryonic-conn-max 200
set connection per-client-embryonic-max 10
set connection per-client-max 5
set connection random-sequence-number enable
set connection timeout embryonic 0:0:45
set connection timeout half-closed 0:25:0
set connection timeout tcp 2:0:0
exit
exit
service-policy PWAN interface WAN
exit
write memory