Layer 3-4 SYN Denial-of-Service protection

Any Citrix ADC appliance with system software version 8.1 or later automatically provides protection against SYN DoS attacks.

To mount such an attack, a hacker initiates a large number of TCP connections but does not respond to the SYN-ACK messages sent by the victimized server. The source IP addresses in the SYN messages received by the server are typically spoofed. Because new SYN messages arrive before the half-open connections initiated by previous SYN messages time out, the number of such connections increases until the server no longer has enough memory available to accept new connections. In extreme cases, the system memory stack can overflow.

A Citrix ADC appliance defends against SYN flood attacks by using SYN cookies instead of maintaining half-open connections on the system memory stack. The appliance sends a cookie to each client that requests a TCP connection, but it does not maintain the states of half-open connections. Instead, the appliance allocates system memory for a connection only upon receiving the final ACK packet, or, for HTTP traffic, upon receiving an HTTP request. This prevents SYN attacks and allows normal TCP communications with legitimate clients to continue uninterrupted.

SYN DoS protection on the Citrix ADC appliance ensures the following:

  • The memory of the Citrix ADC is not wasted on false SYN packets. Instead, memory is used to serve legitimate clients.
  • Normal TCP communications with legitimate clients continue uninterrupted, even when the Web site is under SYN flood attack.

In addition, because the Citrix ADC appliance allocates memory for HTTP connection state only after it receives an HTTP request, it protects Web sites from idle connection attacks.

SYN DoS protection on your Citrix ADC appliance requires no external configuration. It is enabled by default.

Disable SYN Cookies

SYN cookies are enabled by default on a Citrix ADC appliance to prevent SYN attacks. If your deployment requires you to disable SYN cookies, for example, for server-initiated data connections or in cases where a connection is not established because the first packet is dropped or reordered, use one of the following methods to disable SYN cookies.

Disable SYN cookies by using the CLI

At the command prompt, type:

set nstcpprofile nstcp_default_profile -synCookie DISABLED



Enable or disable the SYNCOOKIE mechanism for TCP handshake with clients. Disabling SYNCOOKIE prevents SYN attack protection on the Citrix ADC appliance.

              Possible values: ENABLED, DISABLED

              Default: ENABLED

Disable SYN cookies by using the GUI

  1. Navigate to System > Profiles > TCP Profiles.
  2. Select a profile and click Edit.
  3. Clear the TCP SYN Cookie check box.
  4. Click OK.
Layer 3-4 SYN Denial-of-Service protection