SIGN:TCP-SYN-FLOOD
In this section we will configure the TCP SYN flood detection.
A node is considered to be under a TCP SYN flood attack when:
- The number of incoming connection attempts during the observation interval is greater than the detection counter
- And, during the observation interval, the ratio between established connections and total number of connection attempts falls below the trigger threshold
A TCP SYN flood attack is considered terminated when:
- The number of incoming connection attempts during the observation interval returns below the detection counter
- Or, during the observation interval, the ratio between established connections and total number of connection attempts returns above the exit threshold
The detection of flooding is not guarded by the duplication detection. In other words, duplicated packets can still trigger a flooding alert. This is because the detection of duplication is based on SYN numbers, which do not change during a flooding event; deduplicating these packets will cause false negatives as it will be inhibiting the flooding detection on duplicate packets.
Set detection counter
| Product | Guardian |
| Syntax | conf.user configure vi tcp_syn_flood_detection counter
<value> |
| Description | Set the connection attempts counter, in number of connections. |
| Parameters | value: The amount of connection attempts to be observed in
order to trigger the detection (default: 100) |
| Where | CLI |
| To apply | It is applied automatically |
Set observation interval
| Product | Guardian |
| Syntax | conf.user configure vi tcp_syn_flood_detection interval
<value> |
| Description | Set the observation interval, in seconds. |
| Parameters | value: The time interval during which the connection attempts
are observed, in seconds (default: 10). |
| Where | CLI |
| To apply | It is applied automatically |
Set trigger threshold
| Product | Guardian |
| Syntax | conf.user configure vi tcp_syn_flood_detection trigger_threshold
<value> |
| Description | Set the trigger threshold. |
| Parameters | value: The ratio between established connections and
connections attempts, which when it is reached triggers the flood detection
(default: 0.1). |
| Where | CLI |
| To apply | It is applied automatically |
Set exit threshold
| Product | Guardian |
| Syntax | conf.user configure vi tcp_syn_flood_detection exit_threshold
<value> |
| Description | Set the exit threshold. |
| Parameters | value: The ratio between established connections and
connections attempts, which when it is reached terminates the flood detection
(default: 0.4). |
| Where | CLI |
| To apply | It is applied automatically |
For example, with the commands below the TCP SYN flood detection would trigger when 200
connection attempts are observed during a 15-seconds observation interval and the ratio
between established connections and connection attempts falls below 0.3. Then the detection
would terminate when the ratio returns above 0.5.
conf.user configure vi tcp_syn_flood_detection counter 200
conf.user configure vi tcp_syn_flood_detection interval 15
conf.user configure vi tcp_syn_flood_detection trigger_threshold 0.3
conf.user configure vi tcp_syn_flood_detection exit_threshold 0.5