Filter
Top Products
10-53
Expert Features
Transport Layer
10
TCP SYN Attack
Counter
The TCP SYN Attack counter increments when a change in the number of SYN
requests per second exceeds a threshold. A count of all TCP SYN Attack events
displays in the
Overview counters of Expert View. A threshold for this counter can
be set in Expert Alarms.
Expert Symptom
TCP SYN Attack events are automatically logged as expert symptoms. The
Symptom Summary field provides information about the rate of change for SYN
requests. For example:
Rate of change of TCP SYN’s=150
The threshold value for the delta of SYN requests per second can be changed. The
default is 100 SYN requests per second.
Diagnostic Details
__________________________________________________________________
Problem Description:
The threshold for the number of SYN connections on the segment has been
exceeded. There may be a SYN attack.
__________________________________________________________________
Probable Cause(s):
1. An intruder is trying to break into your network.
2. The network is heavily overloaded.
3. Your Web server is under attack.
4. There may be a problem with the receiver’s TCP/IP stack.
5. There may be an overloaded switch or router.
__________________________________________________________________
Recommended Action(s):
1. Load balance your network.
2. If you see all the SYNs going to the same station, you may be under attack.
3. If you see too many SYN requests coming from unknown IP addresses, you need to use
a firewall or some other means of authentication.