Half-Open Syn signatures problem

jerrod-howard · ‎06-06-2005

We have three new centers that we cycle our web presence through. For some reason, I am getting anywhere between 30,000 to 50,000 half-open sig events, each from the External and DMZ sensors, when one of those centers are active. However, on the previous infrastructure, it was nowhere near that amount. I am working with the group responsible for maintaining the destinations for these attacks (each center's signature events basically fire on only two desintation IP's that are getting hammered).

My question, however, is there a known issue with the PIX 525's and 535's, or is there any situation at all, that create a false positive half-open syn flood attack? I'm working on finding out any other info that may be pertinent, but I want to pursue all available options as to what might be causing this. Thanks!

jerrod-howard · ‎06-06-2005

OK, the IPs being hit (let's say x.x.x.10 and 11) are actually each a cluster of 5 servers load balanced. Could one of the reasons that I'm seeing such a high volume of half-open syn events be cause by SYN requests not being 'answered' as that load is passed among those 5 servers? 10 and 11 are bascially our primary domain web page, and our double-click server, so they are heavy load machines.

Also, the destination IP and port is always the same (x.x.x.10 or 11, port 443). My guess is that it's just a consequence of traffic being shared and passed around within the cluster, but I wanted to get some other people's toughts on this. Thanks.

jerrod-howard · ‎06-06-2005

We may have found the culprit. It seems our load balanced servers, at least the software application they use to balance them, may be dropping the incoming SYNs and not responding to the original hosts. So everything is working as intended...amazingly enough. Thanks for letting me waste your time heh.