====== Protection against SYN flood attack ======

{{indexmenu_n>2}}

​

<note tip>The service can be configured through the GUI. [[dpi:dpi_components:dpiui:user_guide:ssg_control_section:services#protect_from_ddos|Instruction]]</note>

​

SYN flood attack leads to lack of resources on its target system. Indeed, for each SYN packet the system has to allocate some memory resources, or to look up sessions lists, or to generate the specific SYN+ACK reply. The latest contains cryptographic cookie. This requires significant CPU resources. In all cases denial of service happens at incoming rate of SYN packets from 100,000 to 500,000 per second. Note that even 1Gb/s channel allows a hacker to send up to 1.5 million packets per second to the target site.

​

VAS Experts DPI implements the SYN flood protection as follows:

  - Detects the attack by exceeding of SYN requests by unconfirmed clients

  - Independently replies to SYN requests: instead of the protected site

  - Arranges TCP session to the protected site after the confirmation of request by a client

​

**Configuration parameters of this protection:**

​

To switch the protection mode on and off (it is 0 by default, allows online modification)\\

Acceptable values:\\

0 - protection is off\\

1 - protection is activated automatically\\

2 - protection is always on\\

<code>syncf_protection=1</code>

​

The percentage of unconfirmed requests from the client beyond which the protection is automatically activated

( the defaul value is 5 , it can be modified online ) 

<code>syncf_unconfirmed_percent=30</code>

​

The threshold number of syn per second (without acknowledgement), judge to be normal ( defaul value is 50 ): 

<code>syncf_threshold=50</code> 

​