Zenarmor - Syn flood has been detected.

[Seimus]

But as you say it happens periodicaly at the same day and time most likely its some kind of automatization or tool. Do you use NMAP or NetAlertX or PiAlert?


In 1.18 release the synflood detection should as well show the device causing this. Use that info in order to find what device is causing it.

Improvement: The SYN Flood detection capabilities have been enhanced to provide additional details, such as synflood top actors, MAC addresses, and local and remote IP addresses.

https://www.zenarmor.com/docs/support/release-notes


Regards,
S.

[FredsterNL]

I get these as well regularly, but if it is an attack:

The attacker is flooding your system starting connections, but leaving the session hanging halfway, leaving the firewall waiting for the other side to finish building the connection. Do this from a single address (DOA) or multiple addresses (DDOS).

That being said: I don't actually believe ZA is detecting this properly, as this type of attack to home firewall (in my case) correctly. Why would an attacker SynFlood random users?

The number of 'me too' messages makes me thing ZA is a bit trigger happy maybe?

[Seimus]

You are correct on that matter, there seems to be a BUG.

For Example, when you run nmap scanner and block all the ports on OPNsense. ZA keeps the connections but OPNsense drops them. What happens here is that ZA keeps them the TCP Syn, bud there never will be a handshake because the traffic is blocked.

Syncache will grow and ZA starts to report this as synflood. This starts to eat as well into memory and SWAP. Basically ZA is not identifying this correctly, creates false positives and cause resources drain if the synflood feature is enabled.

I was able to reproduce this behavior Exactly as described above. If you scan just one IP like this you will eat out all the syncaches, subsequent scanning will cause resources drain.

Regards,
S.

[sy]

Hi,

Zenarmor has an algorithm to detect syn attack which is checking the syncache and check its deployment size. There is a threshold according to deployment size and decide if there is an anomaly with the syncache or not. And report the host(s) that has top syn sessions. It couldn't be an attack but should be an anomaly with the host(s). You can check syncache value in /usr/local/zenarmor/log/stat/memstat*.log