WatchGuard Firebox System 7.0 User Guide

Default Packet Handlingnetwork. Although there is some gain to leaving IP optionsenabled, the risk generally outweighs the benefit.From Policy Manager:1 On the toolbar, click the Default Packet Handling icon.You can also, from Policy Manager, select Setup => IntrusionPrevention => Default Packet Handling.The Default Packet Handling dialog box appears.2 Select the checkbox marked Block IP Options.Stopping SYN Flood attacksA SYN Flood attack is a type of Denial of Service (DoS)attack that seeks to prevent your public services (such asemail and Web servers) from being accessible to users onthe Internet.To understand how SYN Flood works, consider a normalTCP connection. A user tries to connect by way of a Webbrowser to your server by sending what is called a SYNsegment. Your Web server acknowledges the browser bysending what is called a SYN+ACK segment. When thebrowser sees the SYN+ACK, it sends an ACK segment. Theserver is ready to accept the URL request from the browserwhen it sees the ACK statement. However, until the ACKsegment has been received, the server is “stuck”; it knowsthe browser wants to communicate, but the connection isnot yet established. Many servers in use today can handleonly a finite number of these half-way completed connectionsat a time. They are stored in a backlog until they arecompleted or time out. When the server’s backlog is full,no new connections can be accepted.A SYN Flood attack attempts to fill up the victim server’sbacklog by sending a flood of SYN segments without eversending an ACK. When the backlog fills up, the server willbe unavailable to users.The WatchGuard Firebox System can help defend yourservers against a SYN Flood attack by tracking the numberof SYNs that are sent without a following ACK. If thisnumber exceeds the threshold you define, the SYN FloodUser Guide 181