Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Syn flood protection

Status
Not open for further replies.
lunatiic

lunatiic

IS-IT--Management
Sep 4, 2002
34
0
0
SE
Hi all!
I have some strange problem with my Raptor Firewall 6.5 on Windows NT.

Some of uor customers from certain domains were not able to send mail to our domain. If the sent it from hotmail.com they were able to send mail to us.
When I spoke to their technícians they told me that it had something to do with Syn Flood protection.
When I disable Syn Flood protection they are able to send me mail, but I told them that this was not a resolution, just a quick way to avoid the problem at the moment.
So still they are not able to send me mail.. Unless I decide to disable Syn Flood protection...
Have you heard anything more about this.? It was something about this.

This is the answer that I received from their tech support.

----------------------------------------------------------
"The problem occurs when the email is sent to a system behind a Raptor
firewall. The raptor firewall adds 1000000 to the sequence number of the
mail, which is consequently rejected by the firewall on our mail servers as
it checks the sequence numbers and this value is out of range. There is
currently no solution to this problem."

----------------------------------------------------------

What can I do...? They are not willing to co-operate with me about another solution..

Have any of you heard anything like this? What type of firewalls have this stupid behaviour..?

Thanks in advance!
 
Sort by date Sort by votes
First let me say that the response is not 100% correct. The issue is the way the comunication happens. I wrote this response in frustration, so I hope that when you read it you understand it is not specifially you, just the general attitude twords expectations twords support.

The real issue is not anyones but yours. In normal internet comunication it is customary to initiate the transaction with a "3 way handshake". Syn Ack .Ack When you turn this feature on, the firewall does not Properly respond, so the attack does not proceed. It is the only reasonable way to do this. The Synflood protection was NOT (really, and honestly) meant to be used all the time for JUST this reason. You should only use it while under attack... Cause it moves the firewall into a "Rude" state.

Alot of systems out there igore the the firewall, and refuse communication to it. This is what you have asked for, when you check that box. This feature was part of a larger set of tools, called netprowler. This IDS system would turn this feature on when under attack. You can do the same thing by hand if you wish, however while in this RUDE state your system WILL not get email from some servers, who refuse to talk to RUDE state machines.

To be honest, I wrote this email 4 times... Each time it got quite rude itself. The reason is, you want the firewall to protect you, sometimes in order to protect you from attacks the firewall has to perform in ways other machines may not like. The Firewall does not care. It's only job is to protect you. If you opt to turn on this protection 24/7, then you pay the price for it, Sometimes email will not come though. It you use it like it is suposed to be used.. Only when under attack, you still will only get email from certain systems, but only when Syn Flood protection is on.

Sometimes, when you are under the gun, and pressure is comming from above it is easy to blur a Firewall issue, with a choice you have made. I myself have made this mistake plenty of times, but it still does not make it right. The technitions are there (I hope) to give you a leg up, when you are lost. They are not your beating posts over your decisions. No one should break the standards for internet traffic, but there are hackers. Sometimes it is nessisary to do it for a short time, to protect your assets. Remember, that is a choice you made.. To force the firewall into that state, and if you decide to do it 24/7, more power to you in your decision. Still not a firewall problem.
 
Upvote 0 Downvote
SYN Flood protection slows Raptor system performance. It is recommended that you use this feature only when you suspect you are under attack.

 
Upvote 0 Downvote
Ok.. so how does one turn it off?

Alshrim
System Administrator
MCSE, MCP+Internet
 
Upvote 0 Downvote
nevermind.. figured it out.

For those that are trying this --

Syn Flood protection is configured on the outside Interface (NIC) on the Firewall.. In the OPTIONS tab.

Uncheck the SYN Flood protection checkbox..

Thanks for the info guys.. great explaination..

Cheers..

Alshrim
System Administrator
MCSE, MCP+Internet
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kevnad1966
  • Locked
  • Question
SonicWall "Possible" SYN Flood attacks; numerous.... Danger??
Replies
1
Views
37
Dinkytoy
Dinkytoy
irbk
  • Locked
  • Question
McAfee Web Protection using a pac file
Replies
0
Views
24
irbk
irbk
litelnole
  • Locked
  • Question
Dual gateway infrastructure - ASA gives TCP/SYN error on wrong port
Replies
0
Views
16
litelnole
litelnole
MMB1
  • Locked
  • Question
McAfee Total Protection for Endpoint Due to Expire.
Replies
1
Views
32
paulhthomas
paulhthomas
thompom
  • Locked
  • Question
pro 3060 ack syn block
Replies
4
Views
14
thompom
thompom

Part and Inventory Search

Sponsor

Back
Top