NetScaler

Layer 3-4 SYN Denial-of-Service protection

September 21, 2020

Contributed by:

S S

Any NetScaler appliance with system software version 8.1 or later automatically provides protection against SYN DoS attacks.

To mount such an attack, a hacker initiates a large number of TCP connections but does not respond to the SYN-ACK messages sent by the victimized server. The source IP addresses in the SYN messages received by the server are typically spoofed. Because new SYN messages arrive before the half-open connections initiated by previous SYN messages time out, the number of such connections increases until the server no longer has enough memory available to accept new connections. In extreme cases, the system memory stack can overflow.

A NetScaler appliance defends against SYN flood attacks by using SYN cookies instead of maintaining half-open connections on the system memory stack. The appliance sends a cookie to each client that requests a TCP connection, but it does not maintain the states of half-open connections. Instead, the appliance allocates system memory for a connection only upon receiving the final ACK packet, or, for HTTP traffic, upon receiving an HTTP request. This prevents SYN attacks and allows normal TCP communications with legitimate clients to continue uninterrupted.

SYN DoS protection on the NetScaler appliance ensures the following:

The memory of the NetScaler is not wasted on false SYN packets. Instead, memory is used to serve legitimate clients.
Normal TCP communications with legitimate clients continue uninterrupted, even when the Web site is under SYN flood attack.

In addition, because the NetScaler appliance allocates memory for HTTP connection state only after it receives an HTTP request, it protects Web sites from idle connection attacks.

SYN DoS protection on your NetScaler appliance requires no external configuration. It is enabled by default.

Disable SYN Cookies

SYN cookies are enabled by default on a NetScaler appliance to prevent SYN attacks. If your deployment requires you to disable SYN cookies, for example, for server-initiated data connections or in cases where a connection is not established because the first packet is dropped or reordered, use one of the following methods to disable SYN cookies.

Disable SYN cookies by using the CLI

At the command prompt, type:

set nstcpprofile nstcp_default_profile -synCookie DISABLED

**Arguments**

synCookie

Enable or disable the SYNCOOKIE mechanism for TCP handshake with clients. Disabling SYNCOOKIE prevents SYN attack protection on the NetScaler appliance.

              Possible values: ENABLED, DISABLED

              Default: ENABLED

Disable SYN cookies by using the GUI

Navigate to System > Profiles > TCP Profiles.
Select a profile and click Edit.
Clear the TCP SYN Cookie check box.
Click OK.

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Layer 3-4 SYN Denial-of-Service protection

September 21, 2020

Contributed by:

S S

September 21, 2020

Contributed by:

S S

Layer 3-4 SYN Denial-of-Service protection

Disable SYN Cookies

Disable SYN cookies by using the CLI

Disable SYN cookies by using the GUI

In this article