A SYN flood is a form of denial of service attack wherein an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

OfficeScan triggers SYN flood notifications when the host receives a certain threshold of SYN packets within a given time. For example, when there are 100 half-open sessions within one second to or from an IP address, OfficeScan sends a notification that a SYN FLOOD occurred.

To diagnose and resolve this issue, first identify if the detections are legitimate or a false positive:

1. Identify the source IP address of the SYN Flood notifications by checking the firewall logs of OfficeScan. Below is an example xcreenshot of an IDS-SYN Flood:

   

2. Once you have identified the Source IP address, check if these are legitimate IP addresses that your organization is connecting to.
   • If the IP is not known by the organization, you may conclude that this might be a valid DDOS attack and therefore block the IP addresses through the Gateway Firewall.
   • If the IP is known, you may do the following:
     • Disable Intrusion Detection System (IDS) in your firewall for specific machines by modifying the default policy All Access Policy:
       • Go to Officescan console > Agents > Firewall > Policies > All Access Policies > Firewall Features > Disable Intrusion Detection System.
     • Allow end-user to disable their IDS:
       1. Go to Officescan console > Agents > Agent Management > select the agent/s > Settings > Privileges and other Settings > Firewall.
       2. Turn on "Display the firewall" settings on the Officescan Agent Console and allow users to enable/disable the firewall, Intrustion Detection System, and the firewall violation notification message.
     • Modify the threshold of the IDS SYN Flood Detection.
        

       Always back up the whole registry before making any modifications. Incorrect changes to the registry can cause serious system problems.

       The following registry keys can be modified so that the threshold of the detection can be increased.

       Legend:
       IdsSynFloodHalfOpen = number of SYN connections
       IdsSynFloodSynPerSec = count in time (seconds)

       Operating System: Win 2003/XP
       Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcfw\Parameters\IdsSynFloodHalfOpen
       DWORD: IdsSynFloodHalfOpen
       Values: 1024. (Default)
       If the DWORD doesn't exist please create a new one for it.

       Path:
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmcfw\Parameters\IdsSynFloodSynPerSec
       DWORD: IdsSynFloodSynPerSec
       Value: 4. (Default)
       If the DWORD doesn't exist please create a new one for it.

       Operating System: Win 2008/Vista/7
       Path:
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmlwf\Parameters\IdsSynFloodHalfOpen
       DWORD: IdsSynFloodHalfOpen
       Values: 1024. (Default)
       If the DWORD doesn't exist please create a new one for it.

       Path:
       HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tmlwf\Parameters\IdsSynFloodSynPerSec
       DWORD: IdsSynFloodSynPerSec
       Value: 4 (Default)
       If the DWORD doesn't exist please create a new one for it.