Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

syn flood DOS (6009)

The signature for syn flood DOS (6009) has two values that I can see will alter the signature threshold.

event-counter

-----------------------------------------------

event-count: 2600 default: 200

event-count-key: AxBx <defaulted>

specify-alert-interval

-----------------------------------------------

yes

-----------------------------------------------

alert-interval: 2 default: 2

The definition for the signature is that it will detect a flood of TCP SYN packets at a rate of 100 per second or greater. We have tried to adjust the signature that this value is higher and no matter what the event count is, it continues to trigger in our environment. At 1300 syns per/sec, (event-count: 2600) an alert is still received for http proxy servers.

Have I over looked the parameter that needs to be adjusted in order to increase the threshold of this signature or is it just not tunable.

1 REPLY
Silver

Re: syn flood DOS (6009)

By default, flows with 200pkts/2sec above are alerted. You can change the threshold by CLI

241
Views
0
Helpful
1
Replies