Use Agents to Detect SYN Attacks

A SYN attack is a common denial-of-service (DoS) technique in which an attacker sends multiple SYN packets to a specific host. For each SYN packet received, the target host sends an acknowledgement (SYN-ACK) to the source IP address. Because the target host doesn't receive a response from the attacking machine, it repeatedly attempts to resend the SYN-ACK. When an attacker uses this technique repeatedly, the target host eventually runs out of resources and is unable to handle any more connections, thereby denying service to legitimate users.

When a SYN attack is occurring, there will be hosts with failed flows as well as a high number of new flows per minute. Adaptive response offers several agent templates that monitor flows to/from hosts to help in the detection of SYN attacks:

• NFPM (New Flows Per Minute) Failed Flow — this agent template detects hosts that have failed flows AND have a high number of new flows per minute.
• Failed Flow Ratio — this agent template detects hosts that have a high ratio of failed flows compared to new client flows per minute.
• Host Info Variables — this agent template can monitor several different types of flows, one of which is failed flows. An agent, called Syn Attack - Failed Flow, is automatically created for you; you can modify the default settings if necessary.

After you have set up one or more of these agents, the adaptive response feature will alert you when a possible SYN attack is in process. The standard alert is a red indicator on the info tab (PacketWise) or configuration tab (PolicyCenter). In addition, you can have an email, SNMP trap, or syslog message sent to you; this method requires that you create an action file — a text file of PacketWise commands. The action file can include any CLI command that can run without additional user input. See Action File Overviews for more information.

In order to use this feature, the adaptive response feature must be enabled. If you want to use the preconfigured SYN Attack agent but want to review or modify the settings, refer to Modify the Syn Attack - Failed Flow Agent Settings, below. If you want to create your own agent based on either the NFPM Failed Flow or Failed Flow Ratio template, see Add a New Adaptive Response Agent for instructions on creating a new agent.

Note: These agents have two host lists associated with them: exception and violating. In the exception host list, you can add the IP addresses of the hosts you don't want to trigger the agent (such as servers). The violating host list contains the IP addresses of the hosts that exceed the threshold set for the agent; adaptive response automatically adds hosts to this list when they are in violation.

Create an Exception Host List

In order to prevent your servers and other valid hosts from triggering false alarms, you will want to create an exception host list for your agents. If you want a single exception host list to apply to all host agents, you can add exception hosts to the default host list that is automatically created for you: exceptionHosts. If you want different host lists for different agents, you will need to create hosts lists with unique names.

1. Access the command-line interface.

2. Type hl show to see the host list names.

3. To create a new host list, use the hl new command. For example:

hl new synException

4. To add hosts to an existing host list, use the hl add command. You can add multiple addresses by separating each with a space. For example:

hl add exceptionHosts 192.21.18.162 192.21.18.165 192.21.18.169

5. When modifying the agent (below), make sure to specify this host list name for the ExceptionHosts parameter.

Modify the Syn Attack - Failed Flow Agent Settings

By default, the Syn Attack - Failed Flow agent checks every minute to see if a host has exceeded 100,000 failed flows per minute. You'll want to set the number of failed flows threshold to a value that makes sense for your network. You may also want to change the evaluation interval (for instance, to every 10 minutes).

Note: In order for the agent to work properly, you must set the FlowsThreshold to a value that is appropriate for your network traffic patterns.

1. On the setup tab, click the Adaptive Response Settings link.
   
   
2. Make sure the checkbox in the Agent On column is selected for the Syn Attack - Failed Flow agent.
   
   
3. Click edit next to the agent. The Edit Agent Entry window will open.
   
   
4. If desired, change the evaluation interval, in minutes (how often the agent should measure its target.)
   
   
5. If desired, modify the threshold values:
   
   FlowsThreshold — Number of failed flows per minute that might indicate a host is being attacked.
   
   ViolatingHosts — Name of violating host list; adaptive response will automatically create a violating host list using the name supplied here. Any hosts that exceed the agent's FlowsThreshold will be added to this host list. See Restrict Bandwidth for Violating Hosts for further information.
   
   ExceptionHosts — Name of exception host list; this should be the name you used in Create an Exception Host List above.
   
   RedThreshold — The value at which the status of the agent turns red, and a red action file is triggered, if present. For a Syn Attack agent, this number represents an unacceptable number of violating hosts; a host is in violation if it exceeds the defined FlowsThreshold. For instance, if the RedThreshold is set to 1, the agent's status will change to red when at least one host had failed flows per minute greater than the defined FlowsThreshold.
   
   GreenThreshold — An acceptable number of violating hosts (usually 0).
   
   
6. Click OK to save your changes.

After creating the agent, you will want to monitor it to see whether any hosts have been in violation.

Check the Agent Status

To check the status of the SYN attack agent(s):

1. Click the info tab. The PacketShaper’s info tab shows an icon for each agent category, and a colored status indicator for each. The SYN attack agents are in the Hosts category.
   
   
2. To see the status of each individual agent in the Hosts category, hover your mouse over the Hosts colored status indicator, as shown below.
   
   
   
   
3. In the pop-up window, locate your SYN attack agent(s). What color are their status indicators?
   
   Green — During the last evaluation interval, no hosts exceeded the number of flows per minute you defined for the FlowsThreshold (for agents based on the Host Info Variables or NFPM - Failed Flow templates) or RatioThreshold (for agents based on the Failed Flow Ratio template). Note: This assumes the GreenThreshold is set to the default value of 0.
   Red — During the last evaluation interval, at least one host exceeded the FlowsThreshold (or RatioThreshold). Note: This assumes the RedThreshold is set to the default value of 1.
   
   If the status indicator is red, you should look at the incident report for details.
   
   
4. If there is a report for the SYN attack agent, click the report icon. The report appears in a separate browser window and lists all the hosts who exceeded the defined thresholds (during the current interval in addition to previous intervals). These hosts (10.10.10.100 in the example below) are automatically added to the violatingHosts host list. See Restrict Bandwidth for Violating Hosts for further information about how you can use the violating host list.
   
   
   
   

Create an Action File that Sends an Email Notification

If you would like to be notified by email when a SYN attack might be occurring, you can create a command file that contains a single line: the send email command. By designating this command file as the red action file, an email will be sent when the red threshold is crossed.

Note: In order to send email notification, you must configure an SMTP server in PacketWise.

To create an action file that sends an email notification:

1. If the info tab is currently displayed, click the Settings link; otherwise, go to the setup tab and click the Adaptive Response Settings link.

2. Click the edit button next to the SYN attack agent.

3. Click the browse files button. The File Browser window opens and shows the contents of the 9.258/agent/cmd directory (where action files need to be stored).

4. Click the new cmd file button. A command file window opens.

5. In the File Name field, enter a unique name for your action file up to eight characters long, including 0-9, a-z, AZ, -,_, and . (period). Spaces are not allowed. Example: synattak

6. In the Contents area, enter the following commands:

#Title: red action file for SYN Attack agent
send email <address> "<subject>" ["<body>"]

where <address> is the email address of the recipient. For example:

send email raltman@test.com "Syn Attack may be in process" "Adaptive response has detected at least one host that may be involved in a Syn Attack. Look at the incident report for a list of violating hosts."

Note: If you want to send an email notification to more than one recipient, repeat the send email command for each email address.

If you like, you can include the defined number of flows per minute (the $flowsThreshold or $ratioThreshold variable) and the number of hosts that were in violation (the $scorevalue variable) in the <subject> or <body>, as the following example shows:

send email raltman@test.com "Syn Attack may be in process" "Adaptive response has detected $scorevalue host(s) with more than $flowsThreshold failed flows per minute. Look at the incident report for a list of violating hosts."

When the message is sent, the body of the email message would look something like this:

Adaptive response has detected 2 host(s) with more than 100 failed flows per minute. Look at the incident report for a list of violating hosts.

7. Click save.

8. Enter the name of your action file in the Red Action File field (for example, synattak.cmd).

9. Click OK.

After the next evaluation interval, an email will be sent if and when the agent's red threshold is crossed. If you like, you can create a green action file to notify you when the agent returns to a green status.

Restrict Bandwidth for Violating Hosts

Once you know the IP addresses of hosts that might be involved in a SYN attack, what is your next step? One possibility is to automatically restrict the bandwidth of the violating hosts until you have a chance to research the hosts. To implement this strategy, you create traffic classes that are based on the violating host list, and then apply appropriate policies and/or partitions to these classes.

1. In Inbound, create a class with a name such as HostViolators.

2. In the Host List drop-down list for Inside, select violatingHosts (or the name you specified for the ViolatingHosts parameter).

3. Repeat step 2 for Outside.

4. Click add class to create the class.

5. Repeat the above steps to create an Outbound class named HostViolators.

6. Apply appropriate policies and/or partitions to restrict the violating hosts' bandwidth. One strategy might be:

• Create a partition with size = 0 Kbps, burstable, and a limit of the maximum bandwidth you'd like to devote to all the violating hosts together. For example, you could limit the aggregate of all your violating hosts to 10 percent of your link size.
  
  
• Define a dynamic subpartition giving each host the restricted amount of bandwidth you consider appropriate. For example, you might cap each host at 64 Kbps.