TCP SYN with data attack block by the firewall but increase the latency of data traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

TCP SYN with data attack block by the firewall but increase the latency of data traffic

L3 Networker

Hi Support,

 

We recently notice have latency in our network , when we investigate found a lot threat logs from TCP SYN with data has been block by firewall as we have DDOS protection.

 

My question is below:

1. does this attack affect the performance of the firewall resources? 

2. Do we have a setting that can drop the threat without consume the resource of firewall?

3. In addition, is there a best case recommendation for securing untrust zones?

 

Thank you

3 REPLIES 3

Cyber Elite
Cyber Elite

1. It should not in and by itself, unless you are receiving so many of these packets it could constitute a DoS attack. in your case there doesn't seem to be an enormous amount

2. Only if you are somehow able to isolate the source IP (or country, subnet, network,....) and block these sources directly. in your case, it all seems to originate from one source, so go ahead and block that if you don't know who or what this source is

3. yes, take a look here: https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices

 

in the ICMP screenshot, what does the start and end arrow indicate? just the start/end of latency or some other event?

what does your '> show running resource-monitor' and '> show session info' look like during that period?

do you have packet buffer protection enabled on your zones?

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi @Fariq_Zaidi ,

 

Just to clarify - the "TCP Syn with data" thread logs you see are not caused by the flood protection.

Those logs indicate dropped TCP SYN packets that contain data, meaning source is trying to send some data before TCP-3way-handshake is completed. This setting is again controlled by Zone Protection profile, but not as flood protection, but TCP drop - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-network-profi...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClT5CAK

Having in mind that this is inbound traffic (from public source) it could be expected to see alot of such attempts.

 

You can check the count of dropped packets per zone with following command:

> show zone-protection zone untrust 

 

Hi Reaper,

 

In the ICMP , showing the latency during the event happen and consist with the logs tcp sync with data has been drop.  That why we concern if this the cause the latency happen.

 

i attach the show running resource monitor and session info (Doc log)  and Yes we have enable the packet buffer.

 

Thank you

 

 

  • 1753 Views
  • 3 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!