Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
0
Helpful
1
Replies

syn flood DOS (6009)

darin.marais
Level 7
Level 7

‎08-09-2006 03:54 AM - edited ‎03-10-2019 03:09 AM

The signature for syn flood DOS (6009) has two values that I can see will alter the signature threshold.

event-counter

-----------------------------------------------

event-count: 2600 default: 200

event-count-key: AxBx <defaulted>

specify-alert-interval

-----------------------------------------------

yes

-----------------------------------------------

alert-interval: 2 default: 2

The definition for the signature is that it will detect a flood of TCP SYN packets at a rate of 100 per second or greater. We have tried to adjust the signature that this value is higher and no matter what the event count is, it continues to trigger in our environment. At 1300 syns per/sec, (event-count: 2600) an alert is still received for http proxy servers.

Have I over looked the parameter that needs to be adjusted in order to increase the threshold of this signature or is it just not tunable.

Labels:
0 Helpful
1 Reply 1

aghaznavi
Level 10
Level 10

‎08-14-2006 10:47 AM

By default, flows with 200pkts/2sec above are alerted. You can change the threshold by CLI

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card