DoS attack can be explained in simple way by defining as a flood of illegitimate traffic to a network resource from an IP address or group of IP address and causing the network resource not available.

This is a one kind of security threat every network come across starting from simple enterprise network to a more complex corporate network.

SYN Flooding:-

This is a kind of DoS attack, to explain this, we need understanding about Three Way handshake.

To establish TCP connection, series of messages are exchanged between Client and Server. It normally run as give below:

  • SYN (Synchronization) packets sent from Client to Server.

  • Server Responds with ACK-SYN (Acknowledgment SYN packet ).

  • Client again sends a ACK(Acknowledgment) to the server and connection is established.

This is called the TCP three-way handshake, and it is carried out for every connection established using the TCP protocol.

SYN ATTACK:

The attackers disturbs the sequence of Three-Way Handshake by not responding to SYN-ACK from the server or they will send SYN packet continuously from the Non-Existent IP, the server actually maintain set of queue for which SYN-ACK is sent, since there will be no response from the Clients, the queue will overflow and the server will be no more available to anyone. This is called SYN Attack or Flooding.

SYN Flood detection in NetFlow Analyzer :

NetFlow Analyzer with Advanced Security Analytics Module (ASAM) is a network flow based security analytics and anomaly detection tool that helps in detecting zero-day network intrusions, using the state-of-the-art Continuous Stream Mining Engine technology, and classifying the intrusions to tackle network security threats in real time. ASAM offers actionable intelligence to detect a broad spectrum of external and internal security threats as well as continuous overall assessment of network security.

The Advantage of flow based security analytics tool is that it analyze each flows and identify the threats and so it is called as Non- Signature based tool.

The IDS or Firewall on the network ideally called as signature based intrusion detection system, set of rules defined on these system will look for the infected traffic and alerts the administrator. There is a high chance of missing the detection of infected traffic on the IDS or firewall if the appropriate rules are not defined.

Whereas the flow based analytics tool like ASAM in NetFlow Analyzer can detects threat that surpasses the firewall or IDS on the network.

Technically Syn Flood will send high volume of outbound TCP SYN requests with an invalid source IP Address. ASAM analyze each flow on a particular interface which are being monitored and recognize it as SYN Flood from group of non-existent host or from infected machine on the same network.

You can download the 30 day trial of ManageEngine NetFlow Analyzer from here

Reach us on Facebook at NetFlow Analyzer TAC

Catch up with the latest updates in the industry, through our LinkedIn community Bandwidth Monitoring and Traffic Analysis for Enterprises


Praveen Kumar

NetFlow Analyzer Technical Team

Download  |  Interactive Demo   | Twitter  | Customers