Technical Note : Service Processor (SP), SYN proxy

Purpose
Presents the hardware accelerated SYN proxy feature available with SP modules from CE4, XE2, XG2 cards and FortiGate 3140B.
Scope
FortiGate with Service Processor (build-in or with module)
Modules: ADM-XE2, ASM-CE4, FMC-XG2
FortiGate: FortiGate 3140B (built-in SP)
Diagram

Expectations, Requirements
Requirements:

• FortiGate with SP modules
• syn-proxy is applied on SP based interface receiving the traffic
  

Benefits:

•   Better protection against SYN/Flood attacks compared to DoS action=block
     => let legitimate connection passing while attack SYN are dropped.
  

• Ingress port of the FortiGate must be SP based (but egress does not have to be)

• Works also with vlan interface and spoofed source attack

Principle :

FortiGate is a proxy for 3-way handshake SYN, SYN/ACK, ACK packets

•  no change in behavior when configured threshold is not reached.
  
• once SYN threshold is reached :

• SYN is transmitted to server side, only when client has sent the ACK
• SYN proxy performed in SP hardware

Configuration

config system interface     edit "port9"         set vdom "root"         set ip 172.31.225.38 255.255.252.0         set allowaccess ping https ssh http telnet fgfm         set type physical     next     edit "port20_vlan150"         set vdom "root"         set ip 10.150.1.38 255.255.252.0         set allowaccess ping https ssh snmp http telnet         set interface "port20"         set vlanid 150     next end config ips DoS     edit "syn_proxy"             config anomaly                 edit "tcp_syn_flood"                     set status enable                     set log enable                     set action proxy                     set threshold 1                 next     end end config firewall interface-policy     edit 1         set interface "port20_vlan150"             set srcaddr "all"                         set dstaddr "all"                         set service "ANY"                     set ips-DoS-status enable         set ips-DoS "syn_proxy"     next end config firewall policy     edit 2         set srcintf "port20_vlan150"         set dstintf "any"             set srcaddr "all"                         set dstaddr "all"                     set action accept         set schedule "always"             set service "ANY"                     set nat enable     next end

Verification
Example of attack logs detected by syn-proxy:

Attack log during continuous SYN Flood from source 10.150.0.3

2012-05-29 20:59:15 log_id=0420018432 type=ips subtype=anomaly pri=alert severity=info carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="N/A" src=10.150.0.3 dst=172.31.227.254 src_int="N/A" dst_int="N/A" policyid=N/A identidx=N/A serial=0 status=reset proto=6 service=tcp vd="root" count=0 attack_name=tcp_syn_flood src_port=13398 dst_port=0 attack_id=100663396 sensor="syn_proxy" ref="http://www.fortinet.com/ids/VID100663396" user="N/A" group="N/A" msg="anomaly: tcp_syn_flood, NPU 14760 >= threshold 1 SYN PROXY, repeats 889144 times" 2012-05-29 20:58:14 log_id=0420018432 type=ips subtype=anomaly pri=alert severity=info carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="N/A" src=10.150.0.3 dst=172.31.227.254 src_int="N/A" dst_int="N/A" policyid=N/A identidx=N/A serial=0 status=reset proto=6 service=tcp vd="root" count=0 attack_name=tcp_syn_flood src_port=41758 dst_port=0 attack_id=100663396 sensor="syn_proxy" ref="http://www.fortinet.com/ids/VID100663396" user="N/A" group="N/A" msg="anomaly: tcp_syn_flood, NPU 14804 >= threshold 1 SYN PROXY, repeats 890823 times"

Notes:

• Log is generated immediately when threshold is reached
• Log update every minutes on the attack
• Possible to count the SYN rate from “repeat”  ( in this example : 889144/60 = 14819 syn / sec)
• Unlike 'block', no limit of valid TCP connections (even if threshold is reached)

Example of firewall sessions for a syn-proxyfied connection:

session info: proto=6 proto_state=01 duration=195 expire=3415 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 hakey=58369 policy_dir=0 tunnel=/ state=may_dirty statistic(bytes/packets/allow_err): org=4627/48/1 reply=4797/48/1 tuples=2 orgin->sink: org pre->post, reply pre->post dev=24->9/9->24 gwy=172.31.227.254/10.150.0.3 hook=post dir=org act=snat 10.150.0.3:54920->172.31.227.254:22(172.31.225.38:58892) hook=pre dir=reply act=dnat 172.31.227.254:22->172.31.225.38:58892(10.150.0.3:54920) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=00000382 tos=ff/ff ips_view=0 app_list=0 app=0 dd_type=0 dd_rule_id=0 per_ip_bandwidth meter: addr=10.150.0.3, bps=165 npu_state=0x000002 proxy

Troubleshooting
diagnose command: diagnose npu spm dos synproxy <sp_id>

FG3K1B-1 # diagnose npu spm dos synproxy 0 Number of proxied TCP connections                 : 9  (1) Number of working proxied TCP connections         : 1  (2) Number of retired TCP connections                 : 8  (3) Number of valid TCP connections                   : 4294967290 (4) Number of attacks, no ACK from client             : 1  (5) Number of no SYN-ACK from server                  : 6  (6) Number of reset by server (service not supportted): 2  (7) Number of establised session timeout              : 1  (8) Client timeout setting                            : 3 Seconds Server timeout setting                            : 3 Seconds

(1):  received SYN
(2): Current established TCP connections
(3): removed connections (closed)
(4): available resources
(5): SYN packets detected as attacks where syn was received but not confirmed with a SYN/ACK
(6): SYN packets forwarded by SYN proxy to server but no response yet received from the server
(7): RST received from the server (ex: a syn was transmitted to a TCP port on the server were no daemon is listening
(8): Number of established sessions closed by the session idle timeout