SYN Cookie Operation

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of  syn requests to a target's system. SYN Cookies are the key element of a technique used to guard against flood attacks. The use of SYN Cookies allows a server to avoid dropping connections when the SYN queue fills up. Instead, the server behaves as if the SYN queue had been enlarged. The server sends back the appropriate SYN+ACK response to the client but discards the SYN queue entry. If the server then receives a subsequent ACK response from the client, the server is able to reconstruct the SYN queue entry using information encoded in the TCP sequence number.

The Palo Alto Networks device will maintain the session translation to reconcile the sequence numbers between the source and the server as follows:

• Each time the dataplane boots up the seed to encode the cookie is generated via the random number generator.
• TCP connections processed by SYN cookies will have global counters in the form of flow_dos_syncookie_xxxx which record hits in each case.
• If an ACK packet received does not match cookie encoding, it falls back to a non-SYN TCP packet and may be discarded based on the setting.
• A session that passes the SYN cookies process is subject to TCP sequence number translation as the PAN does a proxy 3-way handshaking. Those session will be marked with destination translation enabled.

owner: panagent