Description: this condition may be caused by a variety of different reasons and may disrrupt of one or more services. An abnormal number of connections to a service may happen for different reasons, all of which require a quick response:
- An attack consisting in a very high number of requests from one or more sources, usually directed to a specific service (for e.g. a web server).
- An attack consisting in a high number of “half-connections” (SYN FLOOD) which generally uses a spoofed IP address.
- A peak in regular user traffic.
In all cases corrective actions must be taken to avoid the problem, and the first step is to intercept the event.
Scenario: An attacker floods a network service exposed on a public network with a so-called SYN FLOOD. Under normal conditions, connections of this type are relatively low in number; if the connections exceed a certain limit, an alert should be triggered.
Solution: Define a specific event to intercept the event linked to a script deployed on the instance(s) of interest. Define an action so that an alert is generated when the event occurs.
