Zenarmor - Syn flood has been detected.

[allebone]

Got an email notification that a Syn flood has been detected.

Only thing is I cant find any settings in zenarmor that relate to syn flood or how to even turn it on or off and no understanding what to actually do about it or check if the alert is reasonable. How can I check anything at all or set anything at all that relates to a syn flood?

Kind regards
P

[allebone]

Image:

[tomdh76]

I had the same notifications the last couple of days (after upgrading zenarmor?) I have run zenarmor for almost a year and never had this notification. Don't know either how to troubleshoot

[allebone]

I mean if there are no options to set, no thresholds to configure and nothing to view then it doesnt really help much.

[Taunt9930]

Yep, also just had this email last night.

[sy]

Hi All,

Thanks for reporting the issue. Zenarmor started to recognize syn attacks with version 1.17. The syn attack was causing engine crash in the previous versions. So engine has capable to detect syn attacks, and we thought it could be useful information for the users to check the network. Can you share subscription type to check that it could be low threshold issue please?

[allebone]

Hi All,

Thanks for reporting the issue. Zenarmor started to recognize syn attacks with version 1.17. The syn attack was causing engine crash in the previous versions. So engine has capable to detect syn attacks, and we thought it could be useful information for the users to check the network. Can you share subscription type to check that it could be low threshold issue please?

I have a home license which I pay monthly.

When you say "we thought it could be useful information for the users to check the network" can you explain what we are supposed to check? Zenarmor has zero visibility into this as far as I can tell so its not clear what you are expecting us to check.

Like to give an example, when my car says 'check oil' I use the dip stick to check how much oil there is. What am I clicking in zenarmor to view the syn attack and associated logs?

[Taunt9930]

Hi All,

Thanks for reporting the issue. Zenarmor started to recognize syn attacks with version 1.17. The syn attack was causing engine crash in the previous versions. So engine has capable to detect syn attacks, and we thought it could be useful information for the users to check the network. Can you share subscription type to check that it could be low threshold issue please?

Home License for me

[Seimus]

Hi All,

Thanks for reporting the issue. Zenarmor started to recognize syn attacks with version 1.17. The syn attack was causing engine crash in the previous versions. So engine has capable to detect syn attacks, and we thought it could be useful information for the users to check the network. Can you share subscription type to check that it could be low threshold issue please?

I have a home license which I pay monthly.

When you say "we thought it could be useful information for the users to check the network" can you explain what we are supposed to check? Zenarmor has zero visibility into this as far as I can tell so its not clear what you are expecting us to check.

Like to give an example, when my car says 'check oil' I use the dip stick to check how much oil there is. What am I clicking in zenarmor to view the syn attack and associated logs?

This is a good point, and I must agree. The Tshoot documentation for Zenarmor, when you click on the link in GUI in the SynFlood notification, has no steps explaining or guiding the users what they should do and what they should expect

https://www.zenarmor.com/docs/troubleshooting/packet-engine

Also just my personal feeling, but I think the reason this happens is due to syncookies threshold (size is improperly set). As now we can see many users are hitting synflood notification but actually dont have any impact.

Regards,
S.

[beki]

Hi,

This faq may be helpful.
https://www.zenarmor.com/docs/support/faq#syn-flood-attack-detected-what-should-i-do

Also, the Enable/Disable option for Syn Flood Detection will be available on 1.17.2 and will be shipped next week.

Bests

[monty_burns_007]

I also notice a dayly Syn Flood email on my system.
I'm using the free version. Don't know where to start looking since there is not logging on the cause of the syn flood by zenarmor.
Is this related to false positives by a threshold which is too low ?
Only thing I have running that does some netwerk scanning are 2 Home Assistant plugins.
Both use NMAP. One is a network scanner which periodically scans my network for devices, the other is another HA integrations which uses NMAP to track devices.

[sy]

Hi,

Upon rechecking, we found that the threshold is quite high. You can review session counts in Zenarmor reports for local users, but the best way to check the session counts is on the switch ports. It's important to note that due to in-sync attacks, the Ethernet header could also be altered.

[Seimus]

Hello,

I was able to go more deeper into this rabbit hole.

And if you are using NMAP it definitely triggers the synflood on ZenArmor as well it consumes syncache, after that memory saturation will happen each subsequent NMAP run. My observations:

NMAP run like these flags >

Code Select Expand

nmap -sS -p-

A. NMAP and OPN
- Scanning is done only on 1 IP at time fro ma range, there are no parallel probes ran
- The server where NMAP runs has only 4 services permitted (4 ports Ingress), rest is blocked
- When NMAP starts port scans, every session/packet that doesn't have one of these 4 destination ports is being blocked by OPN.
- NMAP sent only 1 probe for a working OPEN connection (permitted by OPN)
- If there is no reply for a probe, NMAP will sent 1 more retry (blocked by OPN)
- This is seen and confirmed by reviewing the OPNsense logs.

B. NMAP and Zenarmor
- Following up from A. ZenArmor will show in the logs vmstat that syncache is being massively consumed
- Within few seconds all syncache is being eaten UP and synflood message is triggered by ZenArmor


Now what I dont understand,
1. Why ZenArmor shows syncache is being eaten up. When only 4 Sessions/packets are being allowed by OPNsense and rest is dropped?
2. Shouldn't the FW protect against synflood specifically resources utilization if a synflood is happening?
3. Shouldn't ZenArmor, recognize this as Port Scanning rather than a Syn flood attack?

For me is extremely weird (I dont understand) that NMAP triggers syncache consumption and a synflood on ZenARmor, which after wards start to consume RAM, as most of the probes are being blocked by OPN forehand.

Important:
When NMAP ran with addition flag -f the above behavior, no syncache utilization or synflood is being seen or reported by Zenarmor.

For me here are like two problems:
1. Why Synflood is triggered from NMAP when most of the services being blocked + it is not recognized as port scan
2. Zenarmor doesn't looks like does anything if a scan probe is fragmented

Regards,
S.

[sy]

Hi,

In SYN flood attacks, no session is created, only a SYN packet is sent. Therefore, if you are able to calculate the sessions, it is not a SYN flood attack.

I suggest disabling tools like nmap and similar ones to eliminate any potential issues, and then rechecking to see if Zenarmor exhibits the same behavior.

[misken]

Do you know how to investigate the source of syn floods? I get the syn flood alert mail every sunday morning between 2 and 4 a.m.. I guess there is one service running that triggers the warning, but how would you analyze this?
I have a home network with about 50 active devices, Proxmox server with multiple VMs, smart home devices, etc. I have no idea where to start..