Create a Post
Showing results for 
Search instead for 
Did you mean: 

CP SmartDefense Distributed Attack

I have a case where SmartDefense  triggered a distributed attack alert on egress traffic. 

Messages observed:

"Streaming Engine: TCP SYN Modified Retransmission" with "Data received before SYN-ACK was acknowledged. Stripping all packet data".

Can anyone shed light on what these mean and what  might have caused this?  I suspect a misconfigured device somewhere. I understand the literal meaning of "Data received before SYN-ACK was acknowledged. Stripping all packet data" but not the first message. 

Any help is appreciated. 

Thank you. 

2 Replies

Asymmetric routing, perhaps?

Basically, it's saying:

  • We saw a packet with data before we saw the TCP three-way handshake complete (or the connection was idle for too long and it timed out).
  • Rather than forward that packet along or drop the connection entirely, we sent a SYN with no data to reestablish the connection.

Glad I stumbled upon this post. Exactly the issue I was experiencing, and asymmetric routing was the culprit.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events