NetFort Advertising

Firewall Reporting Excessive SYN Packets? Check Rate of Connections

TCP handshake showing SYN packets

What are SYN packets?

Last week I was on the road in Scotland visiting some of our university customers. During a meeting with a Network Security Specialist, a network issue popped up and he said to me “our firewall is triggering SYN packet alerts, is there anything you can do to help?

SYN packets are normally generated when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

  1. The client requests a connection by sending a SYN (synchronize) message to the server.
  2. The server acknowledges this request by sending SYN-ACK back to the client.
  3. The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol. In the past attackers could bring down a firewall by sending lots of SYN packets. Each SYN packet would use up firewall resources and eventually it would stop accepting new connections. This can result in a massive business problem now that so many applications are cloud based and need fast and reliable Internet access.

A SYN alert could be the sign of attacker reconnaissance

Modern firewalls are able to deal with SYN attacks better by limiting the rate of SYN requests amoungst other things. However, they still retain their alerting features so if something usual is spotted they will trigger an alarm.

Not all SYN alerts are attacks designed to bring down your firewall. This was the case with the customer I mentioned earlier. In summary they were getting a lot of connections from a host in China which was trying to find any systems running SSH services. This is very common, attackers often seek out SSH servers, once found they try and do a dictionary attack against the root or other accounts. If they are successful then they have full access to the LAN segment that the SSH server sits on.

The image below shows a sample of the events from our LANGuardian system. Each one of these is triggered when a host tries to connect to more than 300 other systems in 25 seconds or less. At the same time the firewall on the same network was triggering excessive SYN packets alerts. The fix in this case was to get the ISP to block the Chinese host.

SYN alerts generated by lots of connections from a single host

How to get visibility at the network edge

If you want to see what is hitting your firewall then you need to monitor network traffic hitting the outside network interfaces. Typically this is done by setting up a SPAN or mirror port on the network switch which connects to the external interfaces.

The image below shows a typical setup. Network packets destined for the LAN or DMZ are analyzied by a traffic analysis tool connnected to the network switch which connects devices together outside the LAN firewall. Most servers located here will have a public IP address and so would be open to network scanning activity. You can also detect SYN packet rates at this point, see what is hitting your main firewall.

DMZ network with traffic monitoring tool in place

One of the main things I watch out for in the DMZ is the rate of connection attempts. This is similar to detecting SYN attacks but as I mentioned, most of this activity is associated with reconnaissance, attackers trying to find a backdoor into your network. Some of the firewalls I looked at will trigger SYN attack alerts when they start received around 10,000 connection attempts per second but this can vary.

The image below is from one of our LANGuardian systems. It is reporting the level of what we call netscans, a netscan is triggered when one host tries to connect to more than 300 others in less than 25 seconds. An alert is triggered when this goes over 20 events per second. Our testing has shown that some firewalls start triggering their own alerts when this rate is reached and may start dropping  or refusing connections.

Network scan levels

We have seen instances, for example DDOS attacks, where the organisation’s firewall is under some much pressure trying to handle the attack, it cannot be accessed and used as a reporting or forensics tool. Another advantage of using a continuous but passive system such as the LANGuardian, it can always be accessed when required and as it is not inline, can never have any impact on network availability or performance.

The video below goes through the steps needed to setup a SPAN or mirror port to monitor network traffic. The example covered looks at monitoring the internal LAN interfaces of a firewall but you can apply a similar approach when it comes to monitoring the external interfaces.