The SYNPROXY module deploys TCP SYN cookies to establish a TCP connection terminated on a third party device located behind the ALOHA. It relies on the conntrack module to translate sequence numbers.

The diagram below show how sequence numbers are translated from Y (client to ALOHA) to Z (ALOHA to server):

//cdn.haproxy.com/de/documentation/aloha/8-5/_assets/images/tcp-synproxy_361x312.png

Objective

In the ALOHA, the SYNPROXY module is mainly used for integration with PacketShield to provide protection against packet flood attacks in the following cases:

  • Traffic routed through the ALOHA

  • Load balancing at Layer 4 in NAT mode

  • Load balancing at Layer 4 in DSR mode if the server-to-client traffic is routed through the ALOHA

Note

PacketShield requires the TCP connection to terminate locally, which the SYNPROXY module emulates.

Configuring TCP SYNPROXY

Requirements

Configure the conntrack module

In the ALOHA's Services tab, edit the service settings to add the following setting to the conntrack service:

sysctl tcp_loose=0

Note

The conntrack service is accessible in the advanced mode.

The sysctl prevents conntrack from accepting packets as NEW packets and allowing SYNPROXY to work.

Configure LVS

With LVS, the use of the SYNPROXY module leads to a SYN/SYN-ACK loop between clients and the load balancer.

To circumvent this issue, we use LVS in conjunction with conntrack.

  • In the ALOHA's Services tab, edit the service settings to add the following setting to the LVS service:

    conntrack

SYNPROXY syntax rule

<chain> [conditions of application] [TCP options]

Available chains

<input>

protect local or LVS connections

<forward>

protect a connection routed through the ALOHA

Conditions of application

[[not] dst <host>]

IP packet destination IP or subnet

[[not] iface <interface>]

inbound network interface (should match Packetshield interface)

[[not] dstport <port>]

IP packet destination port (range accepted)

TCP options

[wscale <value>]

Windows scale. Default value: not set. Requires timestamp

[mss <value>]

Maximum Segment Size. Default value: 1460

[sack-perm]

Selective Acknowledgment. Default value: not enabled. Requires timestamp

[timestamp]

timestamps. Default value: not enabled

[ecn]

Explicit Congestion Notification. Default value: not enabled. Requires timestamp

Note

TCP options are ignored when SYNPROXY module is used with PacketShield. In this case, PacketShield TCP options are used.

Configuring SYNPROXY module

  1. In ALOHA's Services tab, edit a service configuration.

  2. In the text area, create your rules.

Configuration examples

Protect HTTP and HTTPs services managed by HAProxy or LVS running in the ALOHA

input dst 10.0.0.1 dstport 80 iface eth0 wscale 3
input dst 10.0.0.1 dstport 443 iface eth0 wscale 3

Protect HTTP and HTTPs services hosted by cloud service VMs located behind the ALOHA

forward dstport 80 iface eth0 wscale 3
forward dstport 443 iface eth0 wscale 3