<img alt="" src="https://secure.leadforensics.com/89462.png" style="display:none;">
UNDER ATTACK?

MX7000: A powerful, versatile 'cloud-in-a-box' DDoS mitigation solution.
Learn more

In Q1 2020, DDoS attacks rose more than 278% compared to Q1 2019 and more than 542% compared to the last quarter.
Download the report

Nexusguard Blog

Cybersecurity best practices and DDoS defence strategies

Latest Stories

Nexusguard Research Nexusguard Research
Jul 31, 2020

Could “Bypass Attacks” become the New Normal?

Nexusguard Product Nexusguard Product
Jun 17, 2020

Reaping the Benefits of DDoS Incident Handling Automation

Nexusguard Product Nexusguard Product
May 28, 2020

How to detect and mitigate Bit-and-piece DDoS attack

Featured Stories

Blog Home
Nexusguard Product
By
January 14, 2020

Mitigating TCP SYN floods

  DDoS DDoS Threat Report TCP SYN flood DNSSEC

On the Nexusguard platform, you can configure protection from TCP SYN flood attacks. The mechanism works like this: When a client sends a connection request (SYN segment) to the host, the platform intercepts the SYN segment and responds to the client with a SYN/ACK segment. The platform waits the specified timeout period for the return ACK from the client to complete the TCP handshake. 

 

If the platform does not receive a return ACK during the timeout period, it drops the packet. If the platform receives a return ACK, indicating that the client is legitimate and is not spoofed, it establishes a connection with the requested server and forwards the original connection request. 

blog_images-02

As a second layer of defence, the platform can be configured to limit the number of embryonic (half-open) connections. When the embryonic connection threshold of a connection is crossed, the platform acts as a proxy for the server and generates a SYN-ACK response to the client’s SYN request using the SYN cookie method. When the platform receives an ACK back from the client, it can then authenticate that the client is real and allow the connection to the backend server. 

 

Last but not the least, Nexusguard’s mitigation platform employs global BGP Anycast to disperse and mitigate attack traffic across the global scrubbing network, ensuring extreme resilience and low latency during attack time.

Popular Stories

Torshammer: A Tool with Slow-rate DDoS Impact on Apache Servers Oct 22, 2014
VAPT on Static Website Aug 26, 2019
Can “clean pipe” really clean dirty traffic? Jul 17, 2018

If the platform does not receive a return ACK during the timeout period, it drops the packet. If the platform receives a return ACK, indicating that the client is legitimate and is not spoofed, it establishes a connection with the requested server and forwards the original connection request.



Related articles

COVID-19 pandemic causing the most significant increase in DDoS attacks ever

How Vietnam networks unwittingly expose themselves to IoT botnet exploits

Communications Service Providers (CSPs) are being brought to their knees by “Bit-and-Piece” attacks that fly under the radar

SOLUTIONS
PRODUCTS & SERVICES
PARTNERS
ACADEMY
RESOURCES
ABOUT US

© Copyright 2020. Nexuguard Limited.
All Rights Reserved. Read Our Privacy Policy.