The SGOS TCP-stack has already ‘hardened’ against TCP SYN-flood attacks. When the SYN flood limit of 30,000 connections with a 2 minute polling interval threshold is reached, the ProxySG begins showing messages in Event log.

TCP SYN floods are only reported within the Event Log and are not logged into the Access Log as it has not ESTABLISHED a connection,

Event Log Details

2012-04-03 09:00:39+08:00CST  "TCP SYN flood attack in progress"  0 30206:1../main/event_logger.cpp:36

2012-04-03 09:02:40+08:00CST  "TCP SYN flood attack no longer in progress"  0 30207:1   ../main/event_logger.cpp:36

2012-04-03 09:10:43+08:00CST  "TCP SYN flood attack in progress"  0 30206:1../main/event_logger.cpp:36

2012-04-03 09:16:45+08:00CST  "TCP SYN flood attack no longer in progress"  0 30207:1   ../main/event_logger.cpp:36

During "TCP SYN flood attack in progress", PCAP can help to figure out source IP address. When source IP address is identified, it can be configured in SG's Attack Detection feature to DROP such packets.