topic Re: Half-Syn open in Network Security

Half-Syn open

teperjesi — Sun, 10 Mar 2019 09:10:34 GMT

Hi,

Can somebody tell me, if the Half-Syn open will fire only, when the client doesn't send the final handshake ACK or it fires when the server doens't send the SYN,ACK packet too?

Can somebody tell me the treshold value-s for this signature? I meen, how long the IDS waits, befor rates it as a Syn attack?

It is true, that I can tunning this signature?

Regard:

Tamas

Re: Half-Syn open

nkhawaja — Sun, 05 Dec 2004 19:57:28 GMT

Hi,

I think it fireup if server doesnot get the final ACK back from the client.

If the IDS doesnot see "SYN - ACK" then, it is SYN attack.

The thresholds can be changed.

Thanks

Nadeem

Re: Half-Syn open

teperjesi — Sun, 05 Dec 2004 21:09:27 GMT

Hi,

thanks for the answer.

Can you tell me, how can i adjust the thresholds?

Can I made this through VMS or CLI?

Regards:

Tamas

Re: Half-Syn open

nkhawaja — Sun, 05 Dec 2004 21:25:40 GMT

if you use VMS to manage the sensors, then adjust those thresholds from VMS.

Re: Half-Syn open

teperjesi — Sun, 05 Dec 2004 22:23:48 GMT

Hi,

The engine for the Half-open Syn attack is 'Other' and the VMS tells me, that "Tunning of this signature engine is currently not supported".

Re: Half-Syn open

nkhawaja — Sun, 05 Dec 2004 23:05:08 GMT

i am using IDSMC 2.0 and i am able to tune this signature.

Re: Half-Syn open

darin.marais — Mon, 06 Dec 2004 16:35:21 GMT

That is very interesting, as I am able to confirm that it was not possible tune the “other engine” in version 1.2 of the IDSMC.

Perhaps someone can confirm this for me but I think that one thing to make especially sure of with this signature is that you do not have duplicate SYN requests with single Syn-Ack replies or even “no replies” in the data that you are sending to the monitor interface of the SPAN session as this could also lead to problems.

“Duplicate Traffic

In some configurations, SPAN sends multiple copies of the same source traffic to the destination port. For example, in a configuration with a bidirectional SPAN session (both ingress and egress) for two SPAN sources, called s1 and s2, to a SPAN destination port, called d1, if a packet enters the switch through s1 and is sent for egress from the switch to s2, ingress SPAN at s1 sends a copy of the packet to SPAN destination d1 and egress SPAN at s2 sends a copy of the packet to SPAN destination d1. If the packet was Layer 2 switched from s1 to s2, both SPAN packets would be the same. If the packet was Layer 3 switched from s1 to s2, the Layer-3 rewrite would alter the source and destination Layer 2 addresses, in which case the SPAN packets would be different.”

Reference: http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080179597.html#1040560

Re: Half-Syn open

nickbruno — Wed, 05 Jan 2005 16:38:30 GMT

Hi,

This question is related to Half-open Syn and if anyone has experienced anything issues or false-positives with Cisco CSS?