SIGN:TCP-FLOOD
This section describes the TCP flood detection configuration.
Note:
The configurations described here apply to all TCP FLOOD detections except:
- the detection for TCP flooding through FIN packets,
- the detection for TCP flooding through packets with no TCP flags.
A node is considered to be under a TCP flood attack when:
- The number of SYN-ACK packets during the observation interval is greater than the detection counter threshold, and
- during the observation interval, the ratio between ACK packets and SYN-ACK packets falls below the trigger threshold
A TCP flood attack is considered terminated when:
- The number of SYN-ACK packets during the observation interval returns below the detection counter threshold, or
- during the observation interval, the ratio between between ACK packets and SYN-ACK packets returns above the exit threshold
The detection of flooding is not guarded by the packets duplication detection. In other words, duplicated packets can still trigger a flooding alert. This is because the detection of duplication is based on SYN numbers, which do not change during a flooding event; deduplicating these packets will cause false negatives as it will be inhibiting the flooding detection on duplicate packets.
Set detection counter
| Product | Guardian |
| Syntax |
conf.user configure vi tcp_syn_flood_detection counter
<value>
|
| Description | Set the SYN-ACK packets counter threshold, in number of connections. |
| Parameters |
value: The amount of SYN-ACK packets to be observed in
order to trigger the detection (default: 100)
|
| Where | CLI |
| To apply | It is applied automatically |
Set observation interval
| Product | Guardian |
| Syntax |
conf.user configure vi tcp_syn_flood_detection interval
<value>
|
| Description | Set the observation interval, in seconds. |
| Parameters |
value: The time interval during which the count of SYN-ACK packets and ACK packets
are observed, in seconds (default: 10).
|
| Where | CLI |
| To apply | It is applied automatically |
Set trigger threshold
| Product | Guardian |
| Syntax |
conf.user configure vi tcp_syn_flood_detection trigger_threshold
<value>
|
| Description | Set the trigger threshold. |
| Parameters |
value: The ratio between ACK packets and
SYN-ACK packets, which when it is reached triggers the flood detection
(default: 0.1).
|
| Where | CLI |
| To apply | It is applied automatically |
Set exit threshold
| Product | Guardian |
| Syntax |
conf.user configure vi tcp_syn_flood_detection exit_threshold
<value>
|
| Description | Set the exit threshold. |
| Parameters |
value: The ratio between ACK packets and
SYN-ACK packets, which when it is reached terminates the flood detection
(default: 0.4).
|
| Where | CLI |
| To apply | It is applied automatically |
For example, with the commands below the TCP flood detection would trigger when 200
SYN-ACK packets are observed during a 15-seconds observation interval and the ratio
between ACK packets and SYN-ACK packets falls below 0.3. Then the detection
would terminate when the ratio returns above 0.5.
conf.user configure vi tcp_syn_flood_detection counter 200
conf.user configure vi tcp_syn_flood_detection interval 15
conf.user configure vi tcp_syn_flood_detection trigger_threshold 0.3
conf.user configure vi tcp_syn_flood_detection exit_threshold 0.5