Half-open SYN Attack 3050.0

darin.marais · ‎06-12-2006

Is there a trick to getting the signature 3050 ?half open syn flood? to produce an alert?

The Cisco Intrusion Prevention System is on version 5.1(1p1) S229.0.

We have tuned the signature to alert at 2048 half open connections.

syn-flood-max-embrionic: 2048 default: 5000

A ?show statistics virtual-sensor? shows that

TCP streams currently in the embryonic state = 2871?

but still no alert appears on the console.

The signature use the normalizer engine and the event-action is set to ?produce-alert?

Any help regarding this would be appreciated.

marcabal · ‎06-12-2006

What type of sensor are using?

On the ASA-SSM-10 and ASA-SSM-20, the normalizer signatures will not be triggered (including the Syn Flood signature).

The ASA-SSMs relie on the TCP Normalization features of the ASA itself to monitor for TCP anomalies including SYN Floods.

For other sensors realize that the SYN Flood signature is tracked on a per server and per port basis. So with a 2048 setting there must be 2048 embryonic connections to a specific port on a specific server IP.

The 2871 number you are seeing in the statistic is for ALL embryonic connections to ALL ports on ALL server IPs. If this is a deployed sensor it is unlikely that all 2871 embryonic connections from the statistics are to the same server IP/port.

darin.marais · ‎06-12-2006

Hi Marco

thanks for your reply. The problem occurs on a 4250-SX model sensor. I have also noticed that when I set the flood signatures to a rate of 0 in order to get the threshold correct, no alerts are produced and consequently no events are received at the CiscoWorks console