https://community.cisco.com/t5/network-security/syn-flood-dos-6009/m-p/573983#M92681 <HTML><HEAD></HEAD><BODY><P>By default, flows with 200pkts/2sec above are alerted. You can change the threshold by CLI </P></BODY></HTML> Mon, 14 Aug 2006 17:47:29 GMT aghaznavi 2006-08-14T17:47:29Z https://community.cisco.com/t5/network-security/syn-flood-dos-6009/m-p/573982#M92680 <P>The signature for syn flood DOS (6009) has two values that I can see will alter the signature threshold.</P><P></P><P>event-counter</P><P> -----------------------------------------------</P><P> event-count: 2600 default: 200</P><P> event-count-key: AxBx &lt;defaulted&gt;</P><P> specify-alert-interval</P><P> -----------------------------------------------</P><P> yes</P><P> -----------------------------------------------</P><P> alert-interval: 2 default: 2</P><P></P><P>The definition for the signature is that it will detect a flood of TCP SYN packets at a rate of 100 per second or greater. We have tried to adjust the signature that this value is higher and no matter what the event count is, it continues to trigger in our environment. At 1300 syns per/sec, (event-count: 2600) an alert is still received for http proxy servers.</P><P></P><P>Have I over looked the parameter that needs to be adjusted in order to increase the threshold of this signature or is it just not tunable. </P> Sun, 10 Mar 2019 10:09:29 GMT https://community.cisco.com/t5/network-security/syn-flood-dos-6009/m-p/573982#M92680 darin.marais 2019-03-10T10:09:29Z https://community.cisco.com/t5/network-security/syn-flood-dos-6009/m-p/573983#M92681 <HTML><HEAD></HEAD><BODY><P>By default, flows with 200pkts/2sec above are alerted. You can change the threshold by CLI </P></BODY></HTML> Mon, 14 Aug 2006 17:47:29 GMT https://community.cisco.com/t5/network-security/syn-flood-dos-6009/m-p/573983#M92681 aghaznavi 2006-08-14T17:47:29Z