SYN Flood Attack

This alert is triggered when detecting a potential SYN Flood attak. In the attack, the attacked server, has been overwhelmed by the flood of SYN requests, eventually reaches its limit for pending connections and cannot accept any new legitimate connection requests from other clients. This results in a denial of service for legitimate users who are unable to connect to the server.

Categories:

ID Number

4000816

Signature

alert tcp any any -> any any (msg:"SYN Flood Attack "; flags:S;flow: stateless; detection_filter: track by_dst, count 70, seconds 10;sid:4000816; rev:1; classtype:attempted-dos;)

MITRE ATT&CK Technique

-

Severity

Low

Recommendations/Investigative actions

This alert is more tailored to small networks with a good networ segmentation. If it triggers many times it is better to disable the alert because it's not suitable to the network