{"id":273,"date":"2025-08-24T12:00:25","date_gmt":"2025-08-24T10:00:25","guid":{"rendered":"https:\/\/www.cybersec3.com\/?page_id=273"},"modified":"2025-09-04T02:07:47","modified_gmt":"2025-09-04T00:07:47","slug":"use-case-alert-count-connections","status":"publish","type":"page","link":"https:\/\/www.cybersec3.com\/?page_id=273","title":{"rendered":"Use case: Alert for high number of network connections"},"content":{"rendered":"\n<p><strong>Description<\/strong>: this condition may be caused by a variety of different reasons and may disrrupt of one or more services. An abnormal number of connections to a service may happen for different reasons, all of which require a quick response:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An attack consisting in a very high number of requests from one or more sources, usually directed to a specific service (for e.g. a web server).<\/li>\n\n\n\n<li>An attack consisting in a high number of &#8220;half-connections&#8221; (SYN FLOOD) which generally uses a spoofed IP address.<\/li>\n\n\n\n<li>A peak in regular user traffic.<\/li>\n<\/ul>\n\n\n\n<p>In all cases corrective actions must be taken to avoid the problem, and the first step is to intercept the event.<\/p>\n\n\n\n<p><strong>Scenario<\/strong>: An attacker floods a network service exposed on a public network with a so-called SYN FLOOD. Under normal conditions, connections of this type are relatively low in number; if the connections exceed a certain limit, an alert should be triggered.<\/p>\n\n\n\n<p><strong>Solution<\/strong>: Define a specific event to intercept the event linked to a script deployed on the instance(s) of interest. Define an action so that an alert is generated when the event occurs.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: this condition may be caused by a variety of different reasons and may disrrupt of one or more services. An abnormal number of connections to a service may happen for different reasons, all of which require a quick response: In all cases corrective actions must be taken to avoid the problem, and the first&#8230;<\/p>\n","protected":false},"author":1,"featured_media":127,"parent":123,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"wp-custom-template-single-use-case","meta":{"footnotes":""},"class_list":["post-273","page","type-page","status-publish","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/www.cybersec3.com\/index.php?rest_route=\/wp\/v2\/pages\/273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cybersec3.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.cybersec3.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.cybersec3.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cybersec3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=273"}],"version-history":[{"count":6,"href":"https:\/\/www.cybersec3.com\/index.php?rest_route=\/wp\/v2\/pages\/273\/revisions"}],"predecessor-version":[{"id":281,"href":"https:\/\/www.cybersec3.com\/index.php?rest_route=\/wp\/v2\/pages\/273\/revisions\/281"}],"up":[{"embeddable":true,"href":"https:\/\/www.cybersec3.com\/index.php?rest_route=\/wp\/v2\/pages\/123"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cybersec3.com\/index.php?rest_route=\/wp\/v2\/media\/127"}],"wp:attachment":[{"href":"https:\/\/www.cybersec3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}