This article explains why FortiDDoS may continue to forward SYN packets under a SYN flood attack even though the threshold for SYN packets has been set.Scope
FortiDDoS v4.1 and laterSolution
The SYN mitigation happens only when the ALL the following criteria/settings are set:
When the SYN flood mitigation happens, all SYN packets are dropped unless they are from sources that are in the LIP table. Every SYN packet that does not come from a source in LIP table are challenged by the SYN mitigation method. As soon as a legitimate client passes the SYN mitigation method challenge (SYN cookie – the default; ACK cookie or SYN re-transmission) the source IP is added to the LIP table.
- SYN validation needs to be enabled in TCP session feature control (SPP settings). By default it is disabled (for the learning period to happen)
- SYN mitigation direction checkbox is checked (by default Inbound is checked)
- SYN flood has been detected, it means that one of the following thresholds has been crossed: SYN, SYN per source or SYN per destination
- SPP is in prevention mode