cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

CP SmartDefense Distributed Attack

I have a case where SmartDefense  triggered a distributed attack alert on egress traffic. 

Messages observed:

"Streaming Engine: TCP SYN Modified Retransmission" with "Data received before SYN-ACK was acknowledged. Stripping all packet data".

Can anyone shed light on what these mean and what  might have caused this?  I suspect a misconfigured device somewhere. I understand the literal meaning of "Data received before SYN-ACK was acknowledged. Stripping all packet data" but not the first message. 

Any help is appreciated. 

Thank you. 

1 Reply
Admin
Admin

Re: CP SmartDefense Distributed Attack

Asymmetric routing, perhaps?

Basically, it's saying:

  • We saw a packet with data before we saw the TCP three-way handshake complete (or the connection was idle for too long and it timed out).
  • Rather than forward that packet along or drop the connection entirely, we sent a SYN with no data to reestablish the connection.
0 Kudos