Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2206
Views
0
Helpful
17
Replies

TCP SYN Host Sweep (3030.0) Firing Excessively

Go to solution
RITgrad2008
Level 1
Level 1

‎08-20-2007 10:15 AM - edited ‎03-10-2019 03:45 AM

Hello all,

We recently added a bunch of IPS to our internal networks (we originally only had them on the perimeter). Since we implemented these IPS (running 5.x), we have seen a massive increase in the number of TCP SYN Host Sweeps.

I looked a little further into the traffic, and it appears a lot of it is traffic to port 80 on external addresses (I'm guessing its websites with ads, etc. that are causing most of these ones).

However, there are a great deal of connections going to seemingly arbitrary ports to many different network ranges. The part that worries me the most is that a lot of the SYN sweeps go to internal AND external addresses.

I have been unable to determine the exact cause of the SYN sweeps but it appears that a majority of our clients are doing it.

I am only an intern, so my knowledge (and access to such knowledge) is rather limited.

I was wondering if anyone had any similar experiences? If so, is there a good way to weed out the false positives from the potentially important alerts?

Best Regards,

Ryan

Labels:
0 Helpful
17 Replies 17

Go to solution
attmidsteam
Level 1
Level 1
In response to RITgrad2008

‎08-23-2007 06:17 AM

We use Intellitactics NSM as our SEM and it works very well for our environment (because it is very programmable and we love to tinker).

I can't remember the exact changes we've made but this is what we have:

#sh conf | begin 3030

signatures 3030 0

engine sweep

unique 50

protocol tcp

storage-key Axxb

specify-port-range yes

port-range 1-24,26-79,81-442,444-2966,2968-65534

The part of this signature that works for us is our platform (NSM) will create an alert when we see 100 of these signatures within a specific time period. That lets us know that some time of scanning is ongoing (note that busy HTTP, DNS, & FTP servers will trigger this sig on return traffic so filtering & profiling is important).

0 Helpful

Go to solution
RITgrad2008
Level 1
Level 1
In response to attmidsteam

‎08-28-2007 05:25 AM

I think I will take your advice and try to bump it up to 50 or even 100.

Thanks to everyone for the advice!

(Hopefully I won't have to dredge up this topic again!)

- Ryan

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to RITgrad2008

‎08-29-2007 05:03 AM

According to Intellishield...

"Host sweep signatures 3030 and 3032 detect behaviors that should not be observed from sources outside the local network but are normal behaviors for sources from within the local network."

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card