GigaFlow Syn Monitoring

From Observer GigaFlow Support | VIAVI Solutions Inc.
Revision as of 11:48, 23 November 2018 by Niall (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Anuview Flow monitors all tcp flows where only the syn bit is set. In normal network operations this indicates that a flow hasn't seen a reply packet while the flow was active in that routers netflow cache. As such, this can be an indicator of 1) Asymmetric router: Perhaps the reply returned via a different router 2) Reply traffic was blocked 3) Servers aren't responding for some reason 4) Something is probing the network

While monitoring syn packets, Flow looks for and alerts on the following: 2 thresholds are used:

IP Address Count Threshold. This represent the number which must be exceeded in order for a network sweep to have occurred.
Port Count Threshold. This represents the number unique ports which must be exceeded for a sweep to have occurred.

These thresholds can be changed in the System->Global Settings page

Synthreshold.png

Definition of the various syn alert types:

Syn Src Port Sweep: Alerts if a source IP address fails to get a response from more than "Port Count Threshold" unique destination ports.
Syn Src Network Sweep : Alerts if a source IP address fails to get a response from more than "IP Address Count Threshold" unique destination addresses.
Syn Src Network And Port Sweep : Alerts if a source IP address exceeds both "Port Count Threshold" and "IP Address Count Threshold" thresholds.
Syn Dst Port Sweep : Alerts if a destination IP address fails to respond tomore than "Port Count Threshold" unique destination ports.
Syn Dst Unreachable Server : Alerts if a destination IP address fails to respond to more than "IP Address Count Threshold" unique destination addresses.
Syn Dst Network And Port Sweep : Alerts if a destination IP address exceeds both "Port Count Threshold" and "IP Address Count Threshold" thresholds.