Expert Features 10

Transport Layer

TCP SYN Attack

Counter

The TCP SYN Attack counter increments when a change in the number of SYN requests per second exceeds a threshold. A count of all TCP SYN Attack events displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms.

Expert Symptom

TCP SYN Attack events are automatically logged as expert symptoms. The Symptom Summary field provides information about the rate of change for SYN requests. For example:

Rate of change of TCP SYN’s=150

The threshold value for the delta of SYN requests per second can be changed. The default is 100 SYN requests per second.

Diagnostic Details

__________________________________________________________________

Problem Description:

The threshold for the number of SYN connections on the segment has been exceeded. There may be a SYN attack.

__________________________________________________________________

Probable Cause(s):

1.An intruder is trying to break into your network.

2.The network is heavily overloaded.

3.Your Web server is under attack.

4.There may be a problem with the receiver’s TCP/IP stack.

5.There may be an overloaded switch or router.

__________________________________________________________________

Recommended Action(s):

1.Load balance your network.

2.If you see all the SYNs going to the same station, you may be under attack.

3.If you see too many SYN requests coming from unknown IP addresses, you need to use a firewall or some other means of authentication.

10-53

Page 257
Image 257
Finisar Surveyor manual TCP SYN Attack, Rate of change of TCP SYN’s=150