Finisar Surveyor User Manual

10-53

Counter

The TCP SYN Attack counter increments when a change in the number of SYN 
requests per second exceeds a threshold. A count of all TCP SYN Attack events 
displays in the 

 counters of Expert View. A threshold for this counter can 

be set in Expert Alarms.

Expert Symptom

TCP SYN Attack events are automatically logged as expert symptoms. The 

 field provides information about the rate of change for SYN 

requests. For example:

Rate of change of TCP SYN’s=150

The threshold value for the delta of SYN requests per second can be changed. The 
default is 100 SYN requests per second. 

Diagnostic Details

__________________________________________________________________ 

The threshold for the number of SYN connections on the segment has been 
exceeded. There may be a SYN attack.

__________________________________________________________________ 

1. An intruder is trying to break into your network.
2. The network is heavily overloaded.
3. Your Web server is under attack.
4. There may be a problem with the receiver’s TCP/IP stack.
5. There may be an overloaded switch or router.

__________________________________________________________________ 

1. Load balance your network.
2. If you see all the SYNs going to the same station, you may be under attack.
3. If you see too many SYN requests coming from unknown IP addresses, you need to use 

a firewall or some other means of authentication.