Product Documentation

Layer 3-4 SYN Denial-of-Service Protection

May 18, 2017

Any NetScaler appliance with system software version 8.1 or later automatically provides protection against SYN DoS attacks.

To mount such an attack, a hacker initiates a large number of TCP connections but does not respond to the SYN-ACK messages sent by the victimized server. The source IP addresses in the SYN messages received by the server are typically spoofed. Because new SYN messages arrive before the half-open connections initiated by previous SYN messages time out, the number of such connections increases until the server no longer has enough memory available to accept new connections. In extreme cases, the system memory stack can overflow.

A NetScaler appliance defends against SYN flood attacks by using SYN cookies instead of maintaining half-open connections on the system memory stack. The appliance sends a cookie to each client that requests a TCP connection, but it does not maintain the states of half-open connections. Instead, the appliance allocates system memory for a connection only upon receiving the final ACK packet, or, for HTTP traffic, upon receiving an HTTP request. This prevents SYN attacks and allows normal TCP communications with legitimate clients to continue uninterrupted.

SYN DoS protection on the NetScaler appliance ensures the following:
  • The memory of the NetScaler is not wasted on false SYN packets. Instead, memory is used to serve legitimate clients.
  • Normal TCP communications with legitimate clients continue uninterrupted, even when the Web site is under SYN flood attack.

In addition, because the NetScaler appliance allocates memory for HTTP connection state only after it receives an HTTP request, it protects Web sites from idle connection attacks.

SYN DoS protection on your NetScaler appliance requires no external configuration. It is enabled by default.

Disabling SYN Cookies

SYN cookies are enabled by default on a NetScaler appliance to prevent SYN attacks. If your deployment requires you to disable SYN cookies, for example, for server-initiated data connections or in cases where a connection is not established because the first packet is dropped or reordered, use one of the following methods to disable SYN cookies.

To disable SYN cookies by using the NetScaler command line

At the command prompt, type:

set nstcpprofile nstcp_default_profile -synCookie DISABLED

Arguments

synCookie

Enable or disable the SYNCOOKIE mechanism for TCP handshake with clients. Disabling SYNCOOKIE prevents SYN attack protection on the NetScaler appliance.

              Possible values: ENABLED, DISABLED

              Default: ENABLED

To disable SYN cookies by using the NetScaler GUI

  1. Navigate to System Profiles TCP Profiles.
  2. Select a profile and click Edit.
  3. Clear the TCP SYN Cookie check box.
  4. Click OK.