Tcp syn attack, Tcp syn attack -53 – Finisar Surveyor User Manual

10-53

Expert Features

Transport Layer

10

TCP SYN Attack

Counter

The TCP SYN Attack counter increments when a change in the number of SYN
requests per second exceeds a threshold. A count of all TCP SYN Attack events
displays in the

Overview

counters of Expert View. A threshold for this counter can

be set in Expert Alarms.

Expert Symptom

TCP SYN Attack events are automatically logged as expert symptoms. The

Symptom Summary

field provides information about the rate of change for SYN

requests. For example:

Rate of change of TCP SYN’s=150

The threshold value for the delta of SYN requests per second can be changed. The
default is 100 SYN requests per second.

Diagnostic Details

__________________________________________________________________

Problem Description:

The threshold for the number of SYN connections on the segment has been
exceeded. There may be a SYN attack.

__________________________________________________________________

Probable Cause(s):

1. An intruder is trying to break into your network.
2. The network is heavily overloaded.
3. Your Web server is under attack.
4. There may be a problem with the receiver’s TCP/IP stack.
5. There may be an overloaded switch or router.

__________________________________________________________________

Recommended Action(s):

1. Load balance your network.
2. If you see all the SYNs going to the same station, you may be under attack.
3. If you see too many SYN requests coming from unknown IP addresses, you need to use

a firewall or some other means of authentication.