Sensors and Troubleshooting › CA Network Flow Analysis Sensors › SYN-Only Packet Sources

SYN-Only Packet Sources

The SYN-Only Packet Sources sensor looks for:

• Hosts that send out only SYN TCP packets with no corresponding ACK packets to acknowledge an open connection to a server
• Servers that receive only SYN packets from certain hosts with no corresponding ACK or RST packets.

Requests for a server connection without establishing a valid socket are typical of a denial-of-service attack by using SYN packet reflection.

Troubleshooting a SYN-Only Packet Sources Alert

An alert from the SYN-Only Packet Sources sensor may indicate a worm infection or a SYN flood, which is a type of denial of service attack.

A SYN flood involves a series of SYN TCP packets that contain invalid source IP addresses. The target server is unable to establish a valid connection in response to the SYN request, but it still allocates the necessary resources and waits until a timeout expires for the ACK packet from the requesting host. The server is quickly brought to a standstill by trying to process invalid connection requests.

If you suspect a denial of service attack, use CA Anomaly Detector to identify each offending host, then use firewalls or ACLs to try to block the host from sending data on the network. You also can take the affected server offline.