Manual Chapter : Introduction to Protection Against SYN Flood Attacks

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
Manual Chapter

About SYN flood attacks

The BIG-IP® system includes features that help protect the system from a SYN flood attack. A SYN flood is a type of attack designed to exhaust all resources used to establish TCP connections. A SYN flood occurs when a client application intentionally fails to complete the initial handshake with the BIG-IP system, leaving the SYN queue to fill up with TCP half-open connections. As a result, the system no longer has the resources to process legitimate application traffic.

About SYN cookie protection

What are SYN Check activation and SYN cookie protection?

To protect against SYN flood attacks, the BIG-IP® system includes a feature known as SYN Check™. This feature globally monitors the system based on thresholds that you define, such as the number of TCP open-half connections on the system. When the system detects an attack, the BIG-IP system sends information about the flow to the requesting client, in the form of cookies.

SYN cookies help prevent the BIG-IP SYN queue from becoming full during a SYN flood attack, so that normal TCP communication can continue.

Scope of SYN cookie protection

Certain FPGA F5® platforms support both collaborative hardware and software SYN cookie protection, while other platforms support software SYN cookie protection only. When your platform uses software only for SYN cookie protection, the BIG-IP system implements SYN cookie protection per-virtual server. When your FPGA platform supports both hardware and software SYN cookie protection, you have the option of implementing SYN cookie protection per VLAN.

Note: The Argon-v1.11.20.0/2 and Beryllium-v2.22.1 bitstreams do not support L7 Hardware SYN Cookie functionality, although L4 Hardware SYN Cookie and all Software SYN Cookie features are supported. Argon and Beryllium based systems also do not support SYN cookie operation in VCMP mode running on older guests (for example, BIG-IP versions 11.X.X and 12.0.0).

About thresholds

The BIG-IP system triggers SYN cookie protection based on thresholds that you configure. The system offers a per-virtual server threshold value, which is a number of TCP half-open connections. If any virtual server on the system experiences this number of half-open connections, the system triggers cookie protection for that virtual server. Additionally, the system offers a global threshold that applies system-wide. The system will trigger global cookie protection when the system experiences the configured number of TCP half-open connections in total. Additional thresholds exist for VLAN-based SYN cookie protection.

SYN Check activation vs. adaptive reaping

The SYN Check feature complements the existing adaptive reaper feature in the BIG-IP system. While the adaptive reaper handles established connection flooding, SYN Check prevents connection flooding altogether. That is, while the adaptive reaper must work overtime to flush connections, the SYN Check feature prevents the SYN queue from becoming full, thus allowing the target system to continue to establish TCP connections.