Hardware defences against SYN flooding

["Thomas C. Greene" <tcgreene () bellatlantic net>]

http://www.theregister.co.uk/content/5/21284.html

[...]
Because the handshake is a necessary part of normal Net traffic, malicious
SYN packets are difficult to filter. You can cope with an attack by changing
the number of times your machine will re-try the SYN/ACK response, but
you'll also deny legitimate connections if you get too aggressive.

With this difficulty in mind, TechMavens' http://www.tech-mavens.com Ross
Oliver decided to benchmark several hardware solutions, all in roughly the
same price range, using a homebrew kit to simulate SYN floods against them.
He released his results at last week's USENIX Security Symposium in
Washington.

He established a baseline for his test server (Apache over Red Hat 7.1),
which, when unprotected, crashed at 100 SYNs/sec. The worst performers were
the Cisco PIX firewall http://www.cisco.com/warp/public/cc/pd/fw/sqfw500 and
Checkpoint's Firewall-1
http://www.checkpoint.com/products/firewall-1/index.html equipped with the
SYNDefender module.

The Cisco kit showed no advantage whatsoever, crashing at the baseline 100
SYNs/sec. Firewall-1 showed only marginally better results, breaking down
(i.e., dropping connections) at a lame 500 SYNs/sec, which can be exceeded
by only two or three boxes connected by T1, cable or DSL lines.

It's fair to note that while one expects at least some protection from any
firewall, the Cisco kit isn't marketed for SYN flood protection as the
Checkpoint kit obviously is.

Netscreen's Netscreen-100
http://www.netscreen.com/products/appliances.html#ns100 fared better,
breaking down after 14,000 SYNs/sec for a 28-fold performance improvement at
roughly the same price.

Only the Top Layer AppSafe switch
http://www.toplayer.com/products/hardware/index.html exceeded the test's
limits, showing no sign of stress while sustaining 22,000 SYNs/sec, the
maximum Oliver could throw at it with his rig. This would work out to about
one dollar per SYN during a fairly severe attack, which strikes us as rather
economical protection.

Of course we asked Top Layer if they had any idea where the AppSafe's
performance might top out. Marketing Director Dennis Anglin told us they're
currently benchmarking it (and, we'll bet, tweaking it), but haven't got any
solid numbers just yet.

The switch distinguishes 'normal', 'suspicious' and 'malicious' traffic
according to user-defined rules, and can be configured to lock out
troublesome IPs for anywhere from fifteen seconds to over a week.

We look forward to learning just how much punishment it can take. If any of
our readers using it have anecdotal data to pass along, we'd love to see it.
®