Got an email notification that a Syn flood has been detected.
Only thing is I cant find any settings in zenarmor that relate to syn flood or how to even turn it on or off and no understanding what to actually do about it or check if the alert is reasonable. How can I check anything at all or set anything at all that relates to a syn flood?
Kind regards
P
Image:
I had the same notifications the last couple of days (after upgrading zenarmor?) I have run zenarmor for almost a year and never had this notification. Don't know either how to troubleshoot
I mean if there are no options to set, no thresholds to configure and nothing to view then it doesnt really help much.
Yep, also just had this email last night.
Hi All,
Thanks for reporting the issue. Zenarmor started to recognize syn attacks with version 1.17. The syn attack was causing engine crash in the previous versions. So engine has capable to detect syn attacks, and we thought it could be useful information for the users to check the network. Can you share subscription type to check that it could be low threshold issue please?
Quote from: sy on April 29, 2024, 07:43:59 PM
Hi All,
Thanks for reporting the issue. Zenarmor started to recognize syn attacks with version 1.17. The syn attack was causing engine crash in the previous versions. So engine has capable to detect syn attacks, and we thought it could be useful information for the users to check the network. Can you share subscription type to check that it could be low threshold issue please?
I have a home license which I pay monthly.
When you say "we thought it could be useful information for the users to check the network" can you explain what we are supposed to check? Zenarmor has zero visibility into this as far as I can tell so its not clear what you are expecting us to check.
Like to give an example, when my car says 'check oil' I use the dip stick to check how much oil there is. What am I clicking in zenarmor to view the syn attack and associated logs?
Quote from: sy on April 29, 2024, 07:43:59 PM
Hi All,
Thanks for reporting the issue. Zenarmor started to recognize syn attacks with version 1.17. The syn attack was causing engine crash in the previous versions. So engine has capable to detect syn attacks, and we thought it could be useful information for the users to check the network. Can you share subscription type to check that it could be low threshold issue please?
Home License for me
Quote from: allebone on April 29, 2024, 10:16:53 PM
Quote from: sy on April 29, 2024, 07:43:59 PM
Hi All,
Thanks for reporting the issue. Zenarmor started to recognize syn attacks with version 1.17. The syn attack was causing engine crash in the previous versions. So engine has capable to detect syn attacks, and we thought it could be useful information for the users to check the network. Can you share subscription type to check that it could be low threshold issue please?
I have a home license which I pay monthly.
When you say "we thought it could be useful information for the users to check the network" can you explain what we are supposed to check? Zenarmor has zero visibility into this as far as I can tell so its not clear what you are expecting us to check.
Like to give an example, when my car says 'check oil' I use the dip stick to check how much oil there is. What am I clicking in zenarmor to view the syn attack and associated logs?
This is a good point, and I must agree. The Tshoot documentation for Zenarmor, when you click on the link in GUI in the SynFlood notification, has no steps explaining or guiding the users what they should do and what they should expect
https://www.zenarmor.com/docs/troubleshooting/packet-engine
Also just my personal feeling, but I think the reason this happens is due to syncookies threshold (size is improperly set). As now we can see many users are hitting synflood notification but actually dont have any impact.
Regards,
S.
Hi,
This faq may be helpful.
https://www.zenarmor.com/docs/support/faq#syn-flood-attack-detected-what-should-i-do
Also, the Enable/Disable option for Syn Flood Detection will be available on 1.17.2 and will be shipped next week.
Bests
I also notice a dayly Syn Flood email on my system.
I'm using the free version. Don't know where to start looking since there is not logging on the cause of the syn flood by zenarmor.
Is this related to false positives by a threshold which is too low ?
Only thing I have running that does some netwerk scanning are 2 Home Assistant plugins.
Both use NMAP. One is a network scanner which periodically scans my network for devices, the other is another HA integrations which uses NMAP to track devices.
Hi,
Upon rechecking, we found that the threshold is quite high. You can review session counts in Zenarmor reports for local users, but the best way to check the session counts is on the switch ports. It's important to note that due to in-sync attacks, the Ethernet header could also be altered.
Hello,
I was able to go more deeper into this rabbit hole.
And if you are using NMAP it definitely triggers the synflood on ZenArmor as well it consumes syncache, after that memory saturation will happen each subsequent NMAP run. My observations:
NMAP run like these flags >
nmap -sS -p-
A. NMAP and OPN
- Scanning is done only on 1 IP at time fro ma range, there are no parallel probes ran
- The server where NMAP runs has only 4 services permitted (4 ports Ingress), rest is blocked
- When NMAP starts port scans, every session/packet that doesn't have one of these 4 destination ports is being blocked by OPN.
- NMAP sent only 1 probe for a working OPEN connection (permitted by OPN)
- If there is no reply for a probe, NMAP will sent 1 more retry (blocked by OPN)
- This is seen and confirmed by reviewing the OPNsense logs.
B. NMAP and Zenarmor
- Following up from A. ZenArmor will show in the logs vmstat that syncache is being massively consumed
- Within few seconds all syncache is being eaten UP and synflood message is triggered by ZenArmor
Now what I dont understand,
1. Why ZenArmor shows syncache is being eaten up. When only 4 Sessions/packets are being allowed by OPNsense and rest is dropped?
2. Shouldn't the FW protect against synflood specifically resources utilization if a synflood is happening?
3. Shouldn't ZenArmor, recognize this as Port Scanning rather than a Syn flood attack?
For me is extremely weird (I dont understand) that NMAP triggers syncache consumption and a synflood on ZenARmor, which after wards start to consume RAM, as most of the probes are being blocked by OPN forehand.
Important:
When NMAP ran with addition flag -f the above behavior, no syncache utilization or synflood is being seen or reported by Zenarmor.
For me here are like two problems:
1. Why Synflood is triggered from NMAP when most of the services being blocked + it is not recognized as port scan
2. Zenarmor doesn't looks like does anything if a scan probe is fragmented
Regards,
S.
Hi,
In SYN flood attacks, no session is created, only a SYN packet is sent. Therefore, if you are able to calculate the sessions, it is not a SYN flood attack.
I suggest disabling tools like nmap and similar ones to eliminate any potential issues, and then rechecking to see if Zenarmor exhibits the same behavior.
Do you know how to investigate the source of syn floods? I get the syn flood alert mail every sunday morning between 2 and 4 a.m.. I guess there is one service running that triggers the warning, but how would you analyze this?
I have a home network with about 50 active devices, Proxmox server with multiple VMs, smart home devices, etc. I have no idea where to start..
But as you say it happens periodicaly at the same day and time most likely its some kind of automatization or tool. Do you use NMAP or NetAlertX or PiAlert?
In 1.18 release the synflood detection should as well show the device causing this. Use that info in order to find what device is causing it.
Quote
Improvement: The SYN Flood detection capabilities have been enhanced to provide additional details, such as synflood top actors, MAC addresses, and local and remote IP addresses.
https://www.zenarmor.com/docs/support/release-notes
Regards,
S.
I get these as well regularly, but if it is an attack:
The attacker is flooding your system starting connections, but leaving the session hanging halfway, leaving the firewall waiting for the other side to finish building the connection. Do this from a single address (DOA) or multiple addresses (DDOS).
That being said: I don't actually believe ZA is detecting this properly, as this type of attack to home firewall (in my case) correctly. Why would an attacker SynFlood random users?
The number of 'me too' messages makes me thing ZA is a bit trigger happy maybe?
You are correct on that matter, there seems to be a BUG.
For Example, when you run nmap scanner and block all the ports on OPNsense. ZA keeps the connections but OPNsense drops them. What happens here is that ZA keeps them the TCP Syn, bud there never will be a handshake because the traffic is blocked.
Syncache will grow and ZA starts to report this as synflood. This starts to eat as well into memory and SWAP. Basically ZA is not identifying this correctly, creates false positives and cause resources drain if the synflood feature is enabled.
I was able to reproduce this behavior Exactly as described above. If you scan just one IP like this you will eat out all the syncaches, subsequent scanning will cause resources drain.
Regards,
S.
Hi,
Zenarmor has an algorithm to detect syn attack which is checking the syncache and check its deployment size. There is a threshold according to deployment size and decide if there is an anomaly with the syncache or not. And report the host(s) that has top syn sessions. It couldn't be an attack but should be an anomaly with the host(s). You can check syncache value in /usr/local/zenarmor/log/stat/memstat*.log