SYN flooding attack protection

The SYN flooding attack protection feature of TCP detects symptoms of SYN flooding and responds by reducing the time server spends on connection requests that it cannot acknowledge.

Specifically, TCP shortens the required interval between SYN-ACK (connection request acknowledgements) retransmissions. (TCP retransmits SYN-ACKS when they are not answered.) As a result, the allotted number of retransmissions is consumed quicker and the unacknowledgeable connection request is discarded faster.

When enabled, the system monitors the connections maintained by TCP and starts SYN attack flooding protection when the any of the following conditions symptomatic of SYN flooding obtain:

• The total number of connections in the half-open (SYN-RCVD) state exceeds the value of TcpMaxHalfOpen;
• The number of connections that remain in the half-open (SYN-RCVD) state even after a connection request has been retransmitted exceeds the value of TcpMaxHalfOpenRetried;
• The number of connection requests the system refuses exceeds the value of TcpMaxPortsExhausted. The system must refuse all connection requests when its reserve of open connection ports runs out.

SYN flooding protection is enabled when the value of SynAttackProtect is 1 and the value of TcpMaxConnectResponseRetransmissions is at least 2.