Mitigating TCP SYN Floods

UNDER ATTACK?
DDoS Statistical Report for 1HY 2023

The DDoS Statistical Report for 1HY 2023 shows significant changes in attack patterns and trends in the first half of 2023, revealing details of attack size, duration, types, categories, distribution and targets.  Learn More

Nexusguard Blog

Cybersecurity best practices and DDoS defence strategies

Latest Stories

Nexusguard Product Nexusguard Product
Nov 27, 2023

Protecting your websites with DNS-Based Authentication of Named Entities (DANE)

Nexusguard Product Nexusguard Product
Nov 02, 2023

Cyber Insurance: Protecting Your Business in a Constantly Evolving Cybersecurity Landscape

Nexusguard Product Nexusguard Product
Oct 30, 2023

CVE-2023-44487 HTTP/2 Rapid Reset Attack

Featured Stories

Blog Home
Nexusguard Product
By
January 14, 2020

Mitigating TCP SYN floods

  DDoS DDoS Threat Report TCP SYN flood DNSSEC

On the Nexusguard platform, you can configure protection from TCP SYN flood attacks. The mechanism works like this: When a client sends a connection request (SYN segment) to the host, the platform intercepts the SYN segment and responds to the client with a SYN/ACK segment. The platform waits the specified timeout period for the return ACK from the client to complete the TCP handshake. 

 

If the platform does not receive a return ACK during the timeout period, it drops the packet. If the platform receives a return ACK, indicating that the client is legitimate and is not spoofed, it establishes a connection with the requested server and forwards the original connection request. 

blog_images-02

As a second layer of defence, the platform can be configured to limit the number of embryonic (half-open) connections. When the embryonic connection threshold of a connection is crossed, the platform acts as a proxy for the server and generates a SYN-ACK response to the client’s SYN request using the SYN cookie method. When the platform receives an ACK back from the client, it can then authenticate that the client is real and allow the connection to the backend server. 

 

Last but not the least, Nexusguard’s mitigation platform employs global BGP Anycast to disperse and mitigate attack traffic across the global scrubbing network, ensuring extreme resilience and low latency during attack time.

Popular Stories

What is an AI-Powered DDoS Attack? Apr 19, 2023
DDoS Protection for SASE / Zero-Trust Resilience Aug 01, 2023
Preventing Slow HTTP Attacks Nov 08, 2021

If the platform does not receive a return ACK during the timeout period, it drops the packet. If the platform receives a return ACK, indicating that the client is legitimate and is not spoofed, it establishes a connection with the requested server and forwards the original connection request.



Related articles

Protecting Your Network Against DDoS-For-Hire Attacks

Uncovering a New Threat: Malware Campaigns Disguised as Google Bard Ads on Facebook

DDoS Protection for SASE / Zero-Trust Resilience

SOLUTIONS
PRODUCTS & SERVICES
PARTNERS
ACADEMY
RESOURCES
ABOUT US

© 2023 Nexusguard - All Rights Reserved. Read Our Privacy Policy.