This article explains why FortiDDoS may continue to forward SYN packets under a SYN flood attack even though the threshold for SYN packets has been set.
FortiDDoS v4.1 and later
The SYN mitigation happens only when the ALL the following criteria/settings are set:
SYN validation needs to be enabled in TCP session feature control (SPP settings). By default it is disabled (for the learning period to happen)
SYN mitigation direction checkbox is checked (by default Inbound is checked)
SYN flood has been detected, it means that one of the following thresholds has been crossed: SYN, SYN per source or SYN per destination
SPP is in prevention mode
When the SYN flood mitigation happens, all SYN packets are dropped unless they are from sources that are in the LIP table. Every SYN packet that does not come from a source in LIP table are challenged by the SYN mitigation method. As soon as a legitimate client passes the SYN mitigation method challenge (SYN cookie – the default; ACK cookie or SYN re-transmission) the source IP is added to the LIP table.