SYN Flood Attack
This alert is triggered when detecting a potential SYN Flood attak. In the attack, the attacked server, has been overwhelmed by the flood of SYN requests, eventually reaches its limit for pending connections and cannot accept any new legitimate connection requests from other clients. This results in a denial of service for legitimate users who are unable to connect to the server.
Signature
alert tcp any any -> any any (msg:"SYN Flood Attack "; flags:S;flow: stateless; detection_filter: track by_dst, count 70, seconds 10;sid:4000816; rev:1; classtype:attempted-dos;)
Recommendations/Investigative actions
This alert is more tailored to small networks with a good networ segmentation. If it triggers many times it is better to disable the alert because it's not suitable to the network
Relations to other alerts