If you select this item, SYN source detection is used to defend against SYN flood attacks.

The mechanism of SYN source detection is that a SYN-ACK packet is sent back to the source IP address to verify it. The confirmation ID in the SYN-ACK packet is constructed by the device instead of being the sequence ID in the SYN packet added by 1. Therefore, for a real client, an RST packet is sent in response to the SYN-ACK packet.

If a firewall exists between the real source IP address and AntiDDoS and the firewall performs a strict check on the TCP link status, including the packet sequence ID and confirmation ID, the SYN-ACK detection packet is discarded, affecting normal services. In this case, deselect this item and enable the discarding of the first SYN packet on the device through the CLI to defend against SYN flood attacks.

Session check-based defense: The first ACK packet is allowed, and the quintuple is used to establish a session table to record the sequence ID and payload length of the existing ACK packet. Check whether the sequence IDs of subsequent ACK packets are correct. If the check is passed, the source address is whitelisted. Otherwise, subsequent packets are directly discarded.

Session check-based defense: FIN/RST packets are connection termination packets. In normal cases, session entries created by SYN/SYN-ACK/ACK packets must exist. Check whether FIN/RST packets can match sessions. If not, the packets are directly discarded.

It is used together with SYN flood attack defense to defend against real IP-based SYN flood attacks.

You can configure the check based on the threshold on the number of concurrent connections for a destination IP address and on the threshold on the number of new connections per second for a destination IP address only after selecting one or multiple items from New Connection Rate Check by Source IP Address, Connection Number Check for Source IP Address, and Abnormal Session Check.

Considering that false positives are possible if parameters for New Connection Rate Check by Source IP Address and Connection Number Check for Source IP Address are improperly configured, these two check methods are not recommended in normal cases. You are advised to use them only after obtaining attack mechanism details through such means as packet capture.

Abnormal session check falls into Null Connection Check, Retransmission Session Check, and Sockstress. For mechanism details, see the product manual. You can enable all of them with the default parameters unchanged.

You need to enable the dynamic blacklist function for TCP connection flood attack defense. Otherwise, various checks do not take effect.