Help
FortiDDoS
FortiDDoS protects from both known and zero day attacks with very low latency. It’s easy to deploy and manage, and includes comprehensive reporting and analysis tools.
cbenejean
Staff
Staff

Created on ‎12-18-2017 12:36 AM

Article Id 192873

Technical Note: SYN mitigation

Description
This article explains why FortiDDoS may continue to forward SYN packets under a SYN flood attack even though the threshold for SYN packets has been set.

Scope
FortiDDoS v4.1 and later

Solution
The SYN mitigation happens only when the ALL the following criteria/settings are set:
  • SYN validation needs to be enabled in TCP session feature control (SPP settings).  By default it is disabled (for the learning period to happen)
  • SYN mitigation direction checkbox is checked (by default Inbound is checked)
  • SYN flood has been detected, it means that one of the following thresholds has been crossed: SYN, SYN per source or SYN per destination
  • SPP is in prevention mode
When the SYN flood mitigation happens, all SYN packets are dropped unless they are from sources that are in the LIP table.  Every SYN packet that does not come from a source in LIP table are challenged by the SYN mitigation method.  As soon as a legitimate client passes the SYN mitigation method challenge (SYN cookie – the default; ACK cookie or SYN re-transmission) the source IP is added to the LIP table.

1265
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.