No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Defend E200 syn-flood working principle and how to test judgment this function has come into effect

Publication Date:  2012-11-02 Views:  113 Downloads:  0

Issue Description

The customer tests syn-flood attack prevention function of E200, test topology is as follows:
Use a PC install corresponding software to simulate syn-flood attack “HOST” host. Configure in the E200:
firewall defend syn-flood enable
firewall defend syn-flood zone trust max-rate 10
Attacker sent “100 packets/sec” syn attack packets, and then capture in the Attacker found that all the attack packets received “syn ack” response, and the source IP of the returned package is HOST’s IP, so that the customer thought the “syn-flood” prevent attack of E200 not become effective.

Alarm Information


Handling Process

Suggest customers capture in the Attacker and the HOST at the same time, the captured results shows that:
1. When the Attacker issued attack message is less than 10packets/sec, capture on HOST found that HOST received all attack packets and replied the “syn” message.
2. When the Attacker issued attack message is more than 10packets/sec, capture on HOST found that HOST stopped receiving “syn”packets, and capture on Attacker still can receive all the “syn ack” reply.
3. display firewall statistic system defend on E200
  ============display firewall  statistic system  defend============
Display firewall defend statistic:
IP spoof attack                          : 23156 packets
land attack                              : 0 packets
Smurf attack                             : 0 packets
fraggle attack                           : 0 packets
Winnuke attack                           : 0 packets
Syn flood attack                         : 1253 packets   - attack packet statistics keep growing
In conclusion, prove “E200 defend syn-flood” function is effective.

Root Cause

First of all, we should know the working principle of E200 “defend syn-flood”:
If the acceptance rate of the syn packet detected byE200 is over the configured “Max rate” (in this case is 10 packets/sec, not configured this parameters the default value is 1000 packets/sec), it is considered to be the attack message, E200 will open “TCP proxy” function, instead of the be attacked host response “syn ack” message, if the launcher is the attack source, it won't reply “ack”, if is normal connection, it will reply “ack”, establishes of three handshake connections. E200 is in this way to protect the host from syn-flood attack.
To come back to look at the customer's test results:
Customers in the Attacker captured all attack packets “syn ack” message, and the source IP is HOST’s IP, actually this is E200 instead of HOST to response the “syn ack” message, the “defend syn-flood” of E200 has been effective.


Before the test must understand the working principle of equipment, and then make corresponding test plans and procedures, in order to achieve the desired effect.