Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Boyett
Explorer

CP SmartDefense Distributed Attack

I have a case where SmartDefense  triggered a distributed attack alert on egress traffic. 

Messages observed:

"Streaming Engine: TCP SYN Modified Retransmission" with "Data received before SYN-ACK was acknowledged. Stripping all packet data".

Can anyone shed light on what these mean and what  might have caused this?  I suspect a misconfigured device somewhere. I understand the literal meaning of "Data received before SYN-ACK was acknowledged. Stripping all packet data" but not the first message. 

Any help is appreciated. 

Thank you. 

4 Replies
PhoneBoy
Admin
Admin

Asymmetric routing, perhaps?

Basically, it's saying:

  • We saw a packet with data before we saw the TCP three-way handshake complete (or the connection was idle for too long and it timed out).
  • Rather than forward that packet along or drop the connection entirely, we sent a SYN with no data to reestablish the connection.
Zolocofxp
Collaborator

Glad I stumbled upon this post. Exactly the issue I was experiencing, and asymmetric routing was the culprit.

0 Kudos
VarunTP
Participant

I also having the same issue "Data received before SYN was acknowledged. Stripping all packet data" . Since we have a cluster of 3 External firewall  and 2 internet ( Active / Passive ) . So where might be the asymmetric routing happen . between the 3 firewall cluster ?

 

Is there any solution ? I have see the drop is happening at " Inspection Setting - TCP SYN modified Retransmission " under the default profile . Currently its configured as drop , can we change to Accept ? whether that will create any security vulnerability ?

 

0 Kudos
VarunTP
Participant

I also having the same issue "Data received before SYN was acknowledged. Stripping all packet data" . Since we have a cluster of 3 External firewall  and 2 internet ( Active / Passive ) . So where might be the asymmetric routing happen . between the 3 firewall cluster ?

 

Is there any solution ? I have see the drop is happening at " Inspection Setting - TCP SYN modified Retransmission " under the default profile . Currently its configured as drop , can we change to Accept ? whether that will create any security vulnerability ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events