Purpose
Presents the hardware accelerated SYN proxy feature available with SP modules from CE4, XE2, XG2 cards and FortiGate 3140B.
Scope
FortiGate with Service Processor (build-in or with module)
Modules: ADM-XE2, ASM-CE4, FMC-XG2
FortiGate: FortiGate 3140B (built-in SP)
Diagram
Expectations, Requirements
Requirements:
Benefits:
FortiGate is a proxy for 3-way handshake SYN, SYN/ACK, ACK packets
Configuration
Snapshots from the GUI:
Verification
Example of attack logs detected by syn-proxy:
Attack log during continuous SYN Flood from source 10.150.0.3
Notes:
Example of firewall sessions for a syn-proxyfied connection:
Troubleshooting
diagnose command: diagnose npu spm dos synproxy <sp_id>
(1): received SYN
(2): Current established TCP connections
(3): removed connections (closed)
(4): available resources
(5): SYN packets detected as attacks where syn was received but not confirmed with a SYN/ACK
(6): SYN packets forwarded by SYN proxy to server but no response yet received from the server
(7): RST received from the server (ex: a syn was transmitted to a TCP port on the server were no daemon is listening
(8): Number of established sessions closed by the session idle timeout
Presents the hardware accelerated SYN proxy feature available with SP modules from CE4, XE2, XG2 cards and FortiGate 3140B.
Scope
FortiGate with Service Processor (build-in or with module)
Modules: ADM-XE2, ASM-CE4, FMC-XG2
FortiGate: FortiGate 3140B (built-in SP)
Diagram
Expectations, Requirements
Requirements:
- FortiGate with SP modules
- syn-proxy is applied on SP based interface receiving the traffic
Benefits:
- Better protection against SYN/Flood attacks compared to DoS action=block
=> let legitimate connection passing while attack SYN are dropped.
- Ingress port of the FortiGate must be SP based (but egress does not have to be)
- Works also with vlan interface and spoofed source attack
FortiGate is a proxy for 3-way handshake SYN, SYN/ACK, ACK packets
- no change in behavior when configured threshold is not reached.
- once SYN threshold is reached :
- SYN is transmitted to server side, only when client has sent the ACK
- SYN proxy performed in SP hardware
=> DoS attacks only sent SYN and don't confirm with SYN/ACK, ACK so theu can be blocked
=> Legitimate connections with syn/ack confirmations are allowed to go through
=> Legitimate connections with syn/ack confirmations are allowed to go through
Configuration
config system interface edit "port9" set vdom "root" set ip 172.31.225.38 255.255.252.0 set allowaccess ping https ssh http telnet fgfm set type physical next edit "port20_vlan150" set vdom "root" set ip 10.150.1.38 255.255.252.0 set allowaccess ping https ssh snmp http telnet set interface "port20" set vlanid 150 next end config ips DoS edit "syn_proxy" config anomaly edit "tcp_syn_flood" set status enable set log enable set action proxy set threshold 1 next end end config firewall interface-policy edit 1 set interface "port20_vlan150" set srcaddr "all" set dstaddr "all" set service "ANY" set ips-DoS-status enable set ips-DoS "syn_proxy" next end config firewall policy edit 2 set srcintf "port20_vlan150" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next end |
Snapshots from the GUI:
Verification
Example of attack logs detected by syn-proxy:
Attack log during continuous SYN Flood from source 10.150.0.3
| 2012-05-29 20:59:15 log_id=0420018432 type=ips subtype=anomaly pri=alert severity=info carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="N/A" src=10.150.0.3 dst=172.31.227.254 src_int="N/A" dst_int="N/A" policyid=N/A identidx=N/A serial=0 status=reset proto=6 service=tcp vd="root" count=0 attack_name=tcp_syn_flood src_port=13398 dst_port=0 attack_id=100663396 sensor="syn_proxy" ref="http://www.fortinet.com/ids/VID100663396" user="N/A" group="N/A" msg="anomaly: tcp_syn_flood, NPU 14760 >= threshold 1 SYN PROXY, repeats 889144 times" 2012-05-29 20:58:14 log_id=0420018432 type=ips subtype=anomaly pri=alert severity=info carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="N/A" src=10.150.0.3 dst=172.31.227.254 src_int="N/A" dst_int="N/A" policyid=N/A identidx=N/A serial=0 status=reset proto=6 service=tcp vd="root" count=0 attack_name=tcp_syn_flood src_port=41758 dst_port=0 attack_id=100663396 sensor="syn_proxy" ref="http://www.fortinet.com/ids/VID100663396" user="N/A" group="N/A" msg="anomaly: tcp_syn_flood, NPU 14804 >= threshold 1 SYN PROXY, repeats 890823 times" |
Notes:
- Log is generated immediately when threshold is reached
- Log update every minutes on the attack
- Possible to count the SYN rate from “repeat” ( in this example : 889144/60 = 14819 syn / sec)
- Unlike 'block', no limit of valid TCP connections (even if threshold is reached)
Example of firewall sessions for a syn-proxyfied connection:
| session info: proto=6 proto_state=01 duration=195 expire=3415 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3 origin-shaper= reply-shaper= per_ip_shaper= ha_id=0 hakey=58369 policy_dir=0 tunnel=/ state=may_dirty statistic(bytes/packets/allow_err): org=4627/48/1 reply=4797/48/1 tuples=2 orgin->sink: org pre->post, reply pre->post dev=24->9/9->24 gwy=172.31.227.254/10.150.0.3 hook=post dir=org act=snat 10.150.0.3:54920->172.31.227.254:22(172.31.225.38:58892) hook=pre dir=reply act=dnat 172.31.227.254:22->172.31.225.38:58892(10.150.0.3:54920) pos/(before,after) 0/(0,0), 0/(0,0) misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0 serial=00000382 tos=ff/ff ips_view=0 app_list=0 app=0 dd_type=0 dd_rule_id=0 per_ip_bandwidth meter: addr=10.150.0.3, bps=165 npu_state=0x000002 proxy |
Troubleshooting
diagnose command: diagnose npu spm dos synproxy <sp_id>
| FG3K1B-1 # diagnose npu spm dos synproxy 0 Number of proxied TCP connections : 9 (1) Number of working proxied TCP connections : 1 (2) Number of retired TCP connections : 8 (3) Number of valid TCP connections : 4294967290 (4) Number of attacks, no ACK from client : 1 (5) Number of no SYN-ACK from server : 6 (6) Number of reset by server (service not supportted): 2 (7) Number of establised session timeout : 1 (8) Client timeout setting : 3 Seconds Server timeout setting : 3 Seconds |
(1): received SYN
(2): Current established TCP connections
(3): removed connections (closed)
(4): available resources
(5): SYN packets detected as attacks where syn was received but not confirmed with a SYN/ACK
(6): SYN packets forwarded by SYN proxy to server but no response yet received from the server
(7): RST received from the server (ex: a syn was transmitted to a TCP port on the server were no daemon is listening
(8): Number of established sessions closed by the session idle timeout
