Cisco Support Community
Community Member

Sig 3050 half-open SYN - false positives?

We have a customer who periodically experiences large numbers of 3050 half-open SYNs. Our IDS picks it up, and blocks many IPs on it, but we are wondering if it is possible that pop-up windows on a website can somehow trigger this signature. All of the requests are indeed on port 80.

Cisco Employee

Re: Sig 3050 half-open SYN - false positives?

The answer to your question is yes it is possible that a sudden surge in requests to a server from the clients network could cause the signature to mis-fire. There are several possible solutions to this problem.

First they could adjust the threshold on the signature to a larger value. By default the signature is set to look for 100 unacknowledged SYNs in the period. They could modify this to 500 and still alert on an actual attack, but would be less susceptible to the benign trigger. The modifications can be made via SigWizMenu and/or the Unix Director interface.

Second if the source of the alarms is from their internal network and they have that defined on the sensor they can exclude IN as a source of the alarm using RecordOfIncludedPattern though their management platform.

Also, just as an aside, you mention that they block many addresses when this occurs. If I am reading this correct that implies they are shunning on this signature. That is not recommended as the source of a true Half-Open SYN attack is almost always spoofed and therefore shunning is not only ineffective, but could lead to an even more sever Denial of Service situation.

Hope this helps.


Community Member

Re: Sig 3050 half-open SYN - false positives?

If the SYN requests are incoming, it could also be a problem with the server itself. I've seen these signatures also when a server became slow or did freeze for a while.

The reason for this is, that the sensor does not distinguish between unacknowledged SYN's (server problem) or acknowledged SYN's (half open SYN attack) as far as I know.



Community Member

Re: Sig 3050 half-open SYN - false positives?

Just FYI - I see a lot of Half Open SYN alerts about the connections to my proxy server. When it gets inundated with proxy requests, the signature triggers when the connections aren't made fast enough.

CreatePlease to create content