23.2825 HOST.610 > SERVER.25
14:18:23.2825 host.610 > server.25: S 1382726970:1382726970(0) win 4096
Note: This is a fabricated trace; compare sequence numbers
to the previous slide. Most modern OSes are resistant. Most
IDS SYN Flood detects are actually false positives.
IDIC - SANS GIAC LevelTwo
©2000, 200110
Kind of hard to tell the difference between this page and the previous, yes? In fact, impossible, if you notice the sequence numbers. We simply altered the previous trace with find and replace. What is the point?It is not unusual to see a mailer “syn flood”…. Ifyour mail server is down. After all, mail is queued up and processed (generally) every hour. The longer the server is down, the more mail gets queued up and the bigger the “SYN flood” becomes. The other very common false positive is Microsoft Internet Explorer visiting a web page; it will create a connection for each .gif, .jpeg, .html etc., up to a limit of 32.The bottom line: As a general rule, be very slow to report a SYN flood; there is a high chance of reporting a false positive. You don’t need an IDS to detect a bonafide modern SYN flood; hints this is happening include:• Cursor echo on an affected system takes over a minute• Network operations starts making groaning sounds like Red October clearing 600 meters• Smoke rising from your routerWe are sure you get the general idea!