TCP SYN flood
advICE :Intrusions : 2000302

Summary

Denial of service overload attempt.

Details

The SYN flood attack sends TCP connections requests faster than the system can process them. This causes the memory to fill up, forcing the new connections to be ignored. The effect of this is to make it appear as if the system is either very slow, or not available at all.

False Positives

This detection triggers whenever a large number of SYN packets are seen in a short period of time. There are cases where it will trigger incorrectly. For example, if a busy web-site becomes unavailable for a few minutes, then is brought back online, this event triggers because of the "pent up" connections waiting for the system to become available. If this report occurs frequently on your network, and your network appears to be operating correctly, you should adjust the value of the tcp.maxsyn parameter in the configuration file to reflect the characteristics of your network.

Spoofing

In SYN floods, the source IP address is almost always spoofed. Therefore, the source IP address cannot be used to track the intruder.

Defense

Many firewalls come with SYN flood protection features.

Many open source UNIX systems (Linux, xBSD, etc.) have patches available that can be used to minimize the impact of SYN floods.

WinNT can be reconfigured to minimize the impact of SYN floods, as described in the Microsoft article below.

parametric information PercentFromIntruder The percentage of SYN frames that were from the same address. The address reported as the intruder will be the address with the highest percentage of SYN frames - if this percentage is a small number, this report may be a false positive, and your system may be very heavily loaded.

configuration for this item tcp.maxsyn 100 This intrusion detection is triggered if the number of unsuccessful TCP connection attempts per second exceeds this count.

 
Version appeared: