We have a customer who periodically experiences large numbers of 3050 half-open SYNs. Our IDS picks it up, and blocks many IPs on it, but we are wondering if it is possible that pop-up windows on a website can somehow trigger this signature. All of the requests are indeed on port 80.
The answer to your question is yes it is possible that a sudden surge in requests to a server from the clients network could cause the signature to mis-fire. There are several possible solutions to this problem.
First they could adjust the threshold on the signature to a larger value. By default the signature is set to look for 100 unacknowledged SYNs in the period. They could modify this to 500 and still alert on an actual attack, but would be less susceptible to the benign trigger. The modifications can be made via SigWizMenu and/or the Unix Director interface.
Second if the source of the alarms is from their internal network and they have that defined on the sensor they can exclude IN as a source of the alarm using RecordOfIncludedPattern though their management platform.
Also, just as an aside, you mention that they block many addresses when this occurs. If I am reading this correct that implies they are shunning on this signature. That is not recommended as the source of a true Half-Open SYN attack is almost always spoofed and therefore shunning is not only ineffective, but could lead to an even more sever Denial of Service situation.
Just FYI - I see a lot of Half Open SYN alerts about the connections to my proxy server. When it gets inundated with proxy requests, the signature triggers when the connections aren't made fast enough.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...