IDS-SYN flood in the OSCE firewall log

Question/Concern/Inquiry:
Hi, I received this OfficeScan logs from my customer asking why there are lots of entries on IDS-SYN flood. How to fix this? Is it because of the machine is infected or not properly patch? Please help to clarify.



Solution/Recommendation:
Two hosts use a SYN FLOOD packet to "shake hands" before establishing a TCP connection. During an attempt to connect, some of the target machine’s resources, such as the memory, may be in use so it does accept the request.

Some attacks take advantage of this TCP feature to flood the target machine with requests that it cannot process. These are called half-open sessions and is a type of Denial of Service (DoS) attack. The connection count between 172.16.1.13 and 168.168.1.186 exceed the default value 64,and this trigger the SYNFLOOD IDS filter.

This is a design specification because of the default SynfloodHalpOpen count is set to 64, if the connection count exceed, IDS rules will be trigged. You can check with the administrators of the company to check why it is sending TCP flood connections by using packet capture (wireshark).

We can also change OSCE Client setting to enlarge the SYNFLOOD halfopen count to workaround: Find the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcfw\Parameters\ IdsSynFloodHalfOpen (DWORD): Default 64 IdsSynFloodSynPerSec (DWORD): Default 4 Change IdsSynFloodHalfOpen to 256 If they still encounter a problem, change IdsSynFloodHalfOpen to 512

Hope this helps.