search

ntop / ntopng

Web-based Traffic and Security Network Traffic Monitoring
http://www.ntop.org
GNU General Public License v3.0
6.24k stars 654 forks source link

Invalid SYN Flood Error #8631

Open lucaderi opened 2 months ago

lucaderi commented 2 months ago
Screenshot 2024-08-18 at 11 07 13

if a host makes many successful requests/sec they should not be accounted in the SYN flood check

lucaderi commented 1 month ago

You can replicate it sniffing traffic generated by tools such as

wget --no-parent -r http://WEBSITE.com/

that can traverse a HTTP server and recursively fetch data

sulaimansuhas commented 4 weeks ago

Hi @lucaderi,

To solve this bug we should keep track of half established TCP connections rather than the total number of SYN packets sent/received. I have 3 potential approaches to solve this issue and would love to have some input on which would be preferred:

  1. Similar to what is being done already we take samples every 1 second of the number of half established connections. Every 1 minute we take a sample of the highest number of established connections seen in a 1 second window.
  2. We can keep an ongoing count of the open connections and sample the count every 1 minute.
  3. We can keep an ongoing count of the open connections and trigger an alert whenever the threshold is exceeded.