<img alt="" src="https://secure.leadforensics.com/89462.png" style="display:none;">

Nexusguard Blog

Cybersecurity best practices and DDoS defence strategies

Latest Stories

Nexusguard Product Nexusguard Product
Jan 14, 2020

Mitigating TCP SYN floods

Nexusguard Research Nexusguard Research
Jan 07, 2020

Single targets, multiple innocent victims

Nexusguard Product Nexusguard Product
Dec 25, 2019

Ready for Holidays? Web Application Firewall for Sensitive Data Security for Online Shopping

Featured Stories

Blog Home
Nexusguard Product
By
January 14, 2020

Mitigating TCP SYN floods

  DDoS DDoS Threat Report TCP SYN flood DNSSEC

On the Nexusguard platform, you can configure protection from TCP SYN flood attacks. The mechanism works like this: When a client sends a connection request (SYN segment) to the host, the platform intercepts the SYN segment and responds to the client with a SYN/ACK segment. The platform waits the specified timeout period for the return ACK from the client to complete the TCP handshake. 

 

If the platform does not receive a return ACK during the timeout period, it drops the packet. If the platform receives a return ACK, indicating that the client is legitimate and is not spoofed, it establishes a connection with the requested server and forwards the original connection request. 

blog_images-02

As a second layer of defence, the platform can be configured to limit the number of embryonic (half-open) connections. When the embryonic connection threshold of a connection is crossed, the platform acts as a proxy for the server and generates a SYN-ACK response to the client’s SYN request using the SYN cookie method. When the platform receives an ACK back from the client, it can then authenticate that the client is real and allow the connection to the backend server. 

 

Last but not the least, Nexusguard’s mitigation platform employs global BGP Anycast to disperse and mitigate attack traffic across the global scrubbing network, ensuring extreme resilience and low latency during attack time.

Popular Stories

Little droplets form roaring ocean Jan 03, 2019
Torshammer: A Tool with Slow-rate DDoS Impact on Apache Servers Oct 22, 2014
Can “clean pipe” really clean dirty traffic? Jul 17, 2018

Popular Tags

DDoS Cybersecurity DDoS Protection Cyber Attack Communications Service Provider Amplification Attack Botnet DNS Attack Memcached Attack DDoS Threat Report DNSSEC Malware TCP SYN flood Vulnerabilities DNS Amplification Data Protection Financial Sector IoT Protest Ransom SSDP Satori Banking and Finance Big Data Analytics Bitcoin Blackhat Blackhole Class-C Clean Pipe Cloud service provider Data Privacy Domain Hijack Fatal Blow HTML5 HTTP attack ISP Lethal Problems Meltdown Mirai Multi-vector attack Mumsnet Nepel Network Breach Nexusguard Partner Program Online Retailing Origin Protection Patch Pentagon Pentester Potential Problem Infrastructures Practitioner RCE Vulnerability Replay Attacks SegmentSmack Shellshock Smart City Security South Africa Spectre TAP Torshammer Trojan Turkish General Election Ukrainian Presidential Election WAF Wordpress World Cup big bill cleanpipe cloud cloud service providers government internet of things partnership smokescreen telegram zero-day attack

If the platform does not receive a return ACK during the timeout period, it drops the packet. If the platform receives a return ACK, indicating that the client is legitimate and is not spoofed, it establishes a connection with the requested server and forwards the original connection request.

Comments Form:

Related articles

Single targets, multiple innocent victims

South Africa less than ready for DDoS attacks

DNSSEC Fuels New Wave of DNS Amplification