CSS DoS

Is DoS protection a built-in feature of CSS11500?
How to configure DoS and how to block intrusion from the output of show dos ?
Thanks,
tony

DoS is built in to the CSS, there is no configuration for it expect for snmp trap generation for DoS detection. CSS is not a firewall, its DoS detection is limited to obvious things, such as source and destination addresses being the same - land, smurf, half open syn, loopback or broadcast addresses, source address that the box owns etc.

Similar Messages

CSS DoS illegal Src Attack

Hi,
On my CSS 11506, logs are full of these kind of error messages:
"NETMAN-5: Enterprise:DOS Attack:Illegal Src -> 5 times". It also generates a trap every seconds, flooding our syslogd and trapd server.
The first information one would obviously require is which IP address, and on which interface, is causing this error message.
I had a look at the "sh dos" command and I can see the counter for "Illegal Src Attacks" increasing (quite logical), BUT then in the detailed events, I can't see any of these events, I only see few SYN Attacks detailed events.
So does anyone know where I can get the details for these "Illegal Src Attacks" events ?
Many Thanks for any help,
Regards,
Arno

Hi to all,
i desperate need your help.
I got a very similar problem with CSS.
Same DoS attack. (many Syn Attack visible in the "show dos" detailed command and many Src Attack but only in the counters)
The strange thing is that the ip address involved are unicast ip (not multicast).
I've not understand many things.
The first is , what's the reason why CSS see that 10.6.27.133 is an Illegal Src??? (It's in this case the .133 is the ip address of interface 6/9 of CSS)
OS Attack Event 1:
First Attack: 31/08/2010 22:52:24
Last Attack: 31/08/2010 22:52:34
Source Address:             10.6.27.133 Destination Address:         10.6.84.69
Event Type:                 Illegal Src Total Attacks:                        3
Someone can help me to understand?
Below is the "show dos" with one event as an example
Total Attacks: 33170637
SYN Attacks:                 14,843,912 Maximum per second:                 284
LAND Attacks:                         0 Maximum per second:                   0
Zero Port Attacks:                    0 Maximum per second:                   0
Illegal Src Attacks:         18,325,982 Maximum per second:                 224
Illegal Dst Attacks:                743 Maximum per second:                   4
Smurf Attacks:                        0 Maximum per second:                   0
DOS Attack Event 12:
First Attack: 31/08/2010 22:18:34
Last Attack: 31/08/2010 22:31:26
Source Address:             10.6.67.167 Destination Address:     113.213.43.145
Where do you suggest to investigate??
Many thanks,
M.G.

How long CSS blocks flow, from source which detected as source DoS?

My application generates except normal flow, flow which CSS treats as DoS attack. Both flows have the same source.
I am afraid that, CSS can block proper flow.
So, I have question: how long CSS blocks flow, from source which detected as source DoS?
Krzysztof

I am not very sure of the lenghth of time that it blocks the flow from the source, if it is considered as a source of DoS attack, but the workaround would be to bypass the cache for that particular source, since you are already aware that it might cause a problem. You could use a bypass rule to do so. You can also use the flow timeout feature with the flow port[1|2|3|4|5|6|7|8|9|10] timeout command to configure a flow timeout value for a TCP or UDP port. I am not very sure if this feature would help in your situation, bypass seems to be a better option.

Getting logs for DOS Attack:Sync Attack on cisco CSS 11501 frequently.

Hi ,
Since couple of weeks , i am getting below DOS attack logs on cisco CSS.Can anyone help me out about how can we avoid this? and how to deal with it.
04/23/2011 17:27:28:Enterprise:DOS Attack:SYN Attack -> 10 times
04/23/2011 17:30:15:Enterprise:DOS Attack:SYN Attack -> 10 times
04/24/2011 11:20:32:Enterprise:DOS Attack:SYN Attack -> 11 times
04/24/2011 11:24:48:Enterprise:DOS Attack:SYN Attack -> 12 times
04/24/2011 15:30:42:Enterprise:DOS Attack:SYN Attack -> 10 times
Thanks
Manish

Hi Nicolas,
Why i am asking about DOS attack as i am facing some issues for the 2 VIPs configured in cisco CSS 11501.
Can you help me troubleshooting the issue?
I have coming across some Load Balancing issues for the 2 VIPS configured on Cisco CSS11501.
We have cisco CSS 11501. We have 2 VIPs configured on it for FE and BE servers.Now Client calls to FE VIP and LB forwarding it to server and then FE server calls the BE VIP which goes through the same LB and forward to BE server under the VIP.When we start load test, we have observed after 2 hour test, application team getting HTTP timeout.As this application is used by Call center so getting timeout is bad.
Need to troubleshoot this issue if there is any problem from LB End.
Please find the attached file for VIP configs.

DOS traps from CSS - can we see source IP in trap ?

Hi everyone,
regarding DOS attack traps generated from CSS,
is there way to put more info in the message,
like source IP of attacker that caused the trap ?
I can see some source IPs in "sh dos" output,
but it hard to find the latest events/IP in the output
Currently I am getting just number of SYNs and time stamp in the trap
regards,
Alex

set the flowmgr logging level to debug and you should see something like this in the log :
13 DEC 11:45:43 3/1 18 FLOWMGR-7:
DoS SYN attack: 20.20.20.20:4000->192.168.20.222:81
synCnt: 1, initSeq: 776425626
Gilles.

The meaning of CSS life...

The one good thing: I finished my first fee-for-service CSS website done in Dreamweaver CS5. It is only four pages and is ugly beyong words and displays wildly in various browsers. The customers are naive enough to have settled for it but their check hasn't arrived yet. We shall see.
Now the test...I am a school webmaster and my behemoth, changes every week, 50 page sites are coming due. Oh dear! Just a word to you Adobe folks: You are really nice but you do know, don't you, that educators all over the country have begun cursing you every day since the advent of CS5 that offered us few legacy options? NO ONE in my county school webmaster group can work CSS or CS5. Deciding that this is an undertaking for the young, we convened our brightest tech students, the ones who understand everything. They couldn't work the new CS5/CSS editor either. I've been told that every school in the county has dropped web design from tech classes because of this. Just thought Adobe would like to know. Microsoft Word is the industry standard in its category, just like Dreamweaver. I have a master user's certificate in Word and can make it do great things. But my 75 year-old father can use it straight of the box, too.
Us all being partners in crime and whatnot, I asked repeatedly on this forum for a usable alternative to CS5, which is no longer a viable tool for the "casual user," as one recent poster pointed out. That's okay. I'm happy not to be a pro. But only AFTER my people saw no option other than dropping $800 on the education version of Creative Suite am I told about Adobe Contribute. Can that really simplify web design? Maybe I need to return this spanking new copy of CS5. More information would be helpful. Until I read Nancy's posts earlier, I had never heard of Contribute.
That said, damned straight on learning the only game in town, I still continue to struggle with CS5/CSS and will post my questions....
Question 1 - I uploaded the first five pages of my large site. Four of them did not work.
Please view: http://www.alex.k12.ok.us/pto/ptoindex.html. The content div on this page has suddenly gone black. I have studiously reviewed the code and have no idea what's wrong. I rebuilt the page from template three times with the same result. Funny, Adobe Browser labs shows the site without the black.
Question 2 - Take a look at this page: http://www.alex.k12.ok.us/board/boardindex.html. I have begun finding ways to convince myself that I am working with tabular data in order to justify using a table. CS5 still allows that, you know. The buttons are just harder to get to. At any rate, the sixth paragraph in the table displays centered in a much larger, bolded font. It does not display this way in Firefox. Again, I reviewed the code with a microscope. I can see no difference between this paragraph and others. But there are secrets in this CSS life that I do not understand.
Question 3 - A much more generic question only posed because I am using CS5 to create my pages. I routinely validate my pages using the W3C html and CSS validators. My CSS has validated 100% of the time. The HTML validator, however, returns errors, warnings and weather forecasts (a joke) that I cannot reference in my CS5 code. The line numbers are incorrect and, when I finally find the alleged error, it's NOT THERE. The most common error I get notes that I have failed to close a paragraph thingy. You know....</p>. But when I inspect the code, I find all the necessary structure present. Deciding I wasn't consuming sufficient mind-altering substances, I tried doing more with the same result. What does this mean?
Question 4 - I have enough experience with CSS now to know that inserting text in my template causes huge problems secondary only to inserting images. But i have to have both, and often. Is is best to just drop an image into, say, the content div, or should I put the pic in a div of its own? Most of my pictures have captions, so I am thinking the only way I can make a caption under a photo is to create a div to hold the picture and the caption. Is there some big secret about this as well?
Thanks for your time.

Wow..
And posted 1 hour ago, 9 viewers and no one concurring except me. Well, I have to congratulate you (I think), you're farther along the CSS road than me, and I started in 1995 with MS Frontpage, back around the time Macromedia owned DW. Does anyone remember going to their site/forums?
I know Cascading is the way to go, I just have no clue, and it seems a near code fiasco, but then I don't know anything about coding so it's all alien. If anyone can believe, I'm still laying a page or two out with tables. I just purely don't have the time to learn CSS. But maybe it's not all that difficult? Well, I haven't started it yet to know I suppose, just seems that it is. Now you say a legacy CSS is somehow not supported, seems that would imply all of those methods/tricks would then no longer be applicable? Wow, just makes me think of MS operating systems. I first started with DOS 3.1, then loaded up what was it, 14 or so 1.44 floppy disks when Win95 came around, then there was NT, I actually have the joke Vista64 running on a machine too.
I understand things move on in software, but if my interpretation is that previous CSS is no longer applicable, for us/those where learning any of it is a challenge, can see the futility in it.. For those of you 13, eating Oreos with milk and already making or about to bring in 10K (or 100K+) a year, good for you. I don't see the majority of people being so determined. And as people get older, they have other responsibilities to attend to. Perhaps software is the next frontier as far as personal computing and the Internet are concerned. AI (artificial intelligence) could greatly assist with this, so as hardware (memory) increases in performance, achieving near parity with the CPU getting cored out, and in the not so distant future when we all have little supercomputers as a result, with Berkeley helping to solve the multicore programming/application issue (that MS awarded 20M to solve, for the future of the OS), then we can most likely look forward to having greater assistance with these types of processes.
Coding.. For us that don't devote so much time to it, it is rather limiting (to our agenda). And the thing is, we really would use these programs more if it was easier, I think I speak for many of us. But if the learning curve goes from slope to vertical, or a series of plateaus, it seems nearly insurmountable at times. And then the browser compatibility issue on top of it all.
Wow. I can say I'm back for one last shot at it now, but if I don't get it this time, I'm outsourcing it. It's been nice, but I simply don't have hours to weeks to invest on a few web pages. And to master it all, I simply don't see it happening, I'm realistic about it. And may I add, I'm not one that is confused by the TV remote or a digital watch, I'm actually very technically oriented, extremely - just haven't been that interested in conquering code (obviously no CS degree, but apparently even those students are cutting corners).
I hear you, and at least I, concur.
Lastly, I'd like to add. Recently while at a bookstore, I picked up one of the computer "Web" editing magazines (I'll read nearly anything, except this - knowing..), mostly because I'm back for another swing at the plate, but also because promimently on the cover was something to the effect "so many tricks explained" etc.. I looked at nearly every article, and don't think I could have done one, they even provided a CD, really? It just seems like a puzzle, and the people that write the articles all looked undernourished, just an observation. Is that really what it takes, so much time and devotion? I wonder if one of them actually comes here and would care to comment on the required time investment (we seem to have time-to-complete figures for SATs etc., why not for articles on this subject matter too? I'd like to know what I'm getting into and how long until I'm up to speed, instead of staring into a void, which is what it nearly seems like. I guess I need to have a conversation with an East Indian Java Guru. Has anyone ever heard an EI programmer even say the word "Java", you just know they get it - I'm in Silicon Valley, happens all the time. Also pass by Adobe HQ all the time and before they even had the buildings (cool power wind vanes too btw, interesting little crosswalk between the buildings, always look for someone in there, like a hamster tunnel thing, funny never see anyone, there was relevance to me stating this) {think I need another parenthesis here, see - wouldn't be good at code}, moving/running on.) Oh, and if anyone needs programming answers, at least here anyway, visit a local Mediterranean restaurant with good falafels, easily find a programmer to answer your questions, no joke). I thought, well, it's good they have their email addresses, maybe I'll contact them and contribute to their 100K a year, but then I thought (seriously), could I even copy and paste the code correctly? Wow.. Is there not a better way, I wonder if Ray Kurtzweil could project out when web editing programs (and the Creators) will benefit from the Singularity theory.
(spell checker would be nice here)
Thx

In the spry css menu, how do i know what does what?

I have two questions,
(1) In the spry css menu, is it just a case of trial and error to find out what each one does or is there a recognisable freature of each line to tell me what each one does, there are so many of them and most of them are alike. I cant help thinking there is a simple way of identifying what each one does without having to search around in the dark until i stumble on the right one that dose what i am trying to tweak in the appearance of the menu bar.
(2) When I am inserting the data for each of the navigation links when i first insert the spry menu I.E.... HOME...ABOUT...COURSES....CONTACT and the list items under "COURSES" link successfully to each page when clicked in the browser. When i click the "HOME" button, a drop down menu of the navigation options ( HOME...ABOUT...COURSES...CONTACT) appears under it. How do I eliminate this when i insert the spry menu bar so it does not appear in the browser.

Have a look here http://www.dwcourse.com/dreamweaver/ten-commandments-spry-menubars.php#one
Have proper markup.
Although the above are true answers to your questions, I have reason to believe that it will not satisfy you. Remember that these are user to user forums and that we do not have much time to spare. We can answer most specific questions, but do not have the time to answer generic questions to their fullest extent.
What I am trying to say is, please supply a link to your site with a specific question and we will help where we can.
Gramps

LAYOUT QUESTIONS - CSS ISSUES

I am trying to center the three middle divs (the one with the three tabs and purple text, the one that says rotating images and the black nav - these are 3 separate divs) of the attached page so there is a green border on just the sides with white at the bottom below the footer (and ideally white in the sides of the top blue nav). I tried creating a wrapper, but it dos not cause anything to center. I centered the top blue nav bar with auto margins left and right. Layout/Formatting Questions:
1) How do I center this so there is a green "background" only on eitehr side of this "center" section of the page?
2) how do I ensure the black navigation div Icreated always falls as pictured here and that is rests on topp of the footer, with no green in between? (sometimes it moves to the right of the div above it)
3) How can I right justify just the Email and Facebook icons - I can't get them to move to the right?
Code is pasted below.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>JAHMA New Jersey Affordable Housing Management Association</title>
<style type="text/css">

</style>
<script src="SpryAssets/SpryMenuBar.js" type="text/javascript"></script>
<link href="SpryAssets/SpryMenuBarHorizontal.css" rel="stylesheet" type="text/css" />
<script type="text/javascript">
function MM_preloadImages() { //v3.0
var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
    var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
    if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
function MM_swapImgRestore() { //v3.0
var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;
function MM_findObj(n, d) { //v4.01
var p,i,x; if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
    d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
if(!x && d.getElementById) x=d.getElementById(n); return x;
function MM_swapImage() { //v3.0
var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
   if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
</script>
</head>
<body leftmargin="0" topmargin="0" onload="MM_preloadImages('images/news-tab-rollover.jpg','images/jahma-resources-tab-rollo ver.jpg','images/events-tab-rollover.jpg','images/about-rollover.jpg','images/programs-tab -rollover.jpg','images/foundation-tab-rollover.jpg')">
<script type="text/javascript">
// Google Internal Site Search script- By JavaScriptKit.com (http://www.javascriptkit.com)
// For this and over 400+ free scripts, visit JavaScript Kit- http://www.javascriptkit.com/
// This notice must stay intact for use
//Enter domain of site to search.
var domainroot="www.jahma.org.com"
function Gsitesearch(curobj){
curobj.q.value="site:"+domainroot+" "+curobj.qfront.value
</script>
<div id="searchBar">
<form action="http://www.google.com/search" method="get" onSubmit="Gsitesearch(this)">
<input name="q2" type="hidden" />
   <br />
   <input name="qfront" type="text" style="width: 180px" /> <input type="image" class="icon" value="Search" src="images/search.png" align="bottom" />
<br />
<span class="search">SEARCH</span>
</p>
</form>
</div>
<div id="#wrapper">
<div id="header">
<img src="images/jahma-banner.jpg" width="960" height="189" alt="logo" /></div>
<div id="mainNavigation">
    <ul id="MenuBar1" class="MenuBarHorizontal">
      <li><a href="#" class="MenuBarItemSubmenu" onmouseout="MM_swapImgRestore()" onmouseover="MM_swapImage('about','','images/about-rollover.jpg',1)"><img src="images/about.jpg" alt="about JAHMA" name="about" width="210" height="49" border="0" id="about" /></a>
        <ul>
          <li><a href="#" class="MenuBarItemSubmenu">Who We Are</a></li>
          <li><a href="#" class="MenuBarItemSubmenu">What We Do</a></li>
          <li><a href="#" >Joining JAHMA</a>
            <ul>
              <li><a href="#" class="MenuBarItemSubmenu">Membership</a></li>
              <li><a href="#" class="MenuBarItemSubmenu">Application</a></li>
            </ul>
          </li>
          <li><a href="#" class="MenuBarItemSubmenu">JAHMA Members</a>
            <ul>
              <li><a href="#" class="MenuBarItemSubmenu">Regular Members</a></li>
              <li><a href="#" class="MenuBarItemSubmenu">Associate Members</a></li>
              <li><a href="#" class="MenuBarItemSubmenu">Affiliate Members</a></li>
            </ul>
          </li>
          <li><a href="#" class="MenuBarItemSubmenu">Board of Directors and Committees</a></li>
          <li><a href="#" class="MenuBarItemSubmenu">JAHMA Administration & Contact Info</a></li>
        </ul>
      </li>
      <li><a href="#" class="MenuBarItemSubmenu" onmouseout="MM_swapImgRestore()" onmouseover="MM_swapImage('programs','','images/programs-tab-rollover.jpg',1)"><img src="images/programs-tab.jpg" alt="JAHMA programs" name="programs" width="210" height="49" border="0" id="progams" /></a>
        <ul>
          <li><a href="#" class="MenuBarItemSubmenu">Events & Training</a></li>
          <li><a href="#" class="MenuBarItemSubmenu">Poster/Calendar Contest</a></li>
          <li><a href="#" class="MenuBarItemSubmenu">Publications and Ad Rates</a>
            <ul>
<li><a href="#" class="MenuBarItemSubmenu">JAHMA Talk</a></li>
<li><a href="#" class="MenuBarItemSubmenu">Membership Directory</a></li>
<li><a href="#" class="MenuBarItemSubmenu">Ad Order Form</a></li>
            </ul>
          </li>
          <li><a href="#" class="MenuBarItemSubmenu">Job Opportunities</a>
            <ul>
              <li><a href="#"class="MenuBarItemSubmenu">Post a Job</a></li>
              <li><a href="#"class="MenuBarItemSubmenu">Available Jobs</a></li>
              <li><a href="#"class="MenuBarItemSubmenu">NAHMA's Career Center</a></li>
              <li><a href="#"class="MenuBarItemSubmenu">USA jobs.gov</a></li>
            </ul>
          </li>
        </ul>
      </li>
      <li><a href="#" class="MenuBarItemSubmenu" onmouseout="MM_swapImgRestore()" onmouseover="MM_swapImage('foundation','','images/foundation-tab-rollover.jpg',1)"><img src="images/foundation-tab.jpg" alt="JAHMA foundation" name="foundation" width="210" height="49" border="0" id="foundation" /></a>
        <ul>
          <li><a href="#" class="MenuBarItemSubmenu">What the Foundation is</a>        </li>
          <li><a href="#" class="MenuBarItemSubmenu">The Scholarship Program</a>
            <ul>
              <li><a href="#" class="MenuBarItemSubmenu">Scholarship Application</a></li>
              <li><a href="#" class="MenuBarItemSubmenu">Past Scholarship Recipients</a></li>
            </ul>
          </li>
          <li><a href="#" class="MenuBarItemSubmenu">Golf Outing Fundraiser</a>
            <ul>
              <li><a href="#" class="MenuBarItemSubmenu">List of Supporters</a></li>
              <li><a href="#" class="MenuBarItemSubmenu">Golf Outing Sign-Up Sheet</a></li>
              <li><a href="#" class="MenuBarItemSubmenu">Make a Contribution</a></li>
            </ul>
          </li>
          <li><a href="#" class="MenuBarItemSubmenu">In Time of Need</a></li>
        </ul>
      </li>
      <li><a href="#" class="MenuBarItemSubmenu" onmouseout="MM_swapImgRestore()" onmouseover="MM_swapImage('contact', '','images/contact-tab-rollover.jpg',1)"><img src="images/contact-tab.jpg" alt="contacts" name="contacts" width="210" height="49" border="0" id="contacts" /></a>
        <ul>
          <li><a href="#" class="MenuBarItemSubmenu">JAHMA Administration & Contact Info</a></li>
          <li><a href="#" class="MenuBarItemSubmenu">NAHMA</a>
            <ul>
              <li><a href="#" class="MenuBarItemSubmenu">Communities of Quality Program</a></li>
              <li><a href="#" class="MenuBarItemSubmenu">Credentials</a></li>
              <li><a href="#" class="MenuBarItemSubmenu">NAHMA Education and Training</a></li>
            </ul>
          </li>
          <li><a href="#" class="MenuBarItemSubmenu">PennDel AHMA</a></li>
          <li><a href="#" class="MenuBarItemSubmenu">Industry/Realtors Associations</a></li>
          <li><a href="#" class="MenuBarItemSubmenu">Government Agencies</a>
            <ul>
              <li><a href="#" class="MenuBarItemSubmenu">NJ Agencies</a></li>
              <li><a href="#" class="MenuBarItemSubmenu">Federal</a></li>
            </ul>
          </li>
        </ul>
      </li>
    </ul>
</div>
<div id="mainContent"><a href="#" onmouseout="MM_swapImgRestore()" onmouseover="MM_swapImage('events','','images/events-tab-rollover.jpg',1)"><img src="images/events-tab.jpg" alt="events" name="events" width="150" height="53" border="0" id="events" /></a><a href="#" onmouseout="MM_swapImgRestore()" onmouseover="MM_swapImage('news','','images/news-tab-rollover.jpg',1)"><img src="images/news-tab.jpg" alt="news" name="news" width="150" height="53" border="0" id="news" /></a><a href="#" onmouseout="MM_swapImgRestore()" onmouseover="MM_swapImage('resources','','images/jahma-resources-tab-rollover.jpg',1)"><i mg src="images/jahma-resources-tab.jpg" alt="resources" name="resources" width="150" height="53" border="0" id="resources" /></a>
    <h1>September 22-23, 2011</h1>
    <h2><img src="images/register-button.jpg" alt="register button" width="100" height="102" class="floatRight" /> NAHMA's TAX CREDIT TRAINING & SHCM™ EXAM</h2>
    <p>sponsored by PennDel AHMA & JAHMA Hotel ML formerly Mt. Laurel Marriott<br />
      Mt. Laurel, NJ<br />
      More Information </p>
    <div id="registerButton"></div>
    <h1>September 27, 2011</h1>
    <img src="images/register-button.jpg" alt="register button" width="100" height="102" class="floatRight" />
    <h2>MAINTENANCE TECHNICIAN'S WORKSHOP: PART II REAC ON-SITE WORKSHOP</h2>
    <p>Gloucester Towne, Gloucester, NJ<br />
      More Information</p>
    <p> </p>
</div>
<div id="rightSidebar">
    <p>Rotating images here</p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    <p> </p>
    </div>
<div id="memberNav">
    <ul>
      <li><a href="#" >Regular<br />
      Members</a></li>
      <li><a href="#" >Associate<br />
      Members</a></li>
      <li><a href="#" >Affiliate<br />
      Members</a></li>
      </ul>
</div>
<div id="footer">
    <p> <img src="images/JAHMA-footer-logo.jpg" width="100" alt="logo" />P.O. Box 4 • Riverton, NJ 0807 • 856-786-9590 • Fax 856-786-6265<img src="images/email.png" alt="email" width="32" height="42" class="icon" />
    <img src="images/facebook.png" alt="facebook" width="42" height="42" class="icon" /></p>
</div>
</div>
<p> </p>
<script type="text/javascript">
var MenuBar1 = new Spry.Widget.MenuBar("MenuBar1", {imgDown:"SpryAssets/SpryMenuBarDownHover.gif", imgRight:"SpryAssets/SpryMenuBarRightHover.gif"});
</script>
</body>
</html>

To centre the 3 divs under the navigation you'll need to first delete the left margin of 100px set on the 'mainContent' <div> css.
Then you'll need to wrap all three <divs> in another <div></div> and set its width to the same width as the navigation <div> - 860px and use margin: 0 auto; on the wrapper <div>. Then you can adjust the widths of the 3 <divs> inside it.
Trying to get a web page that balances up with equal length columns is a pointless exercise. You need to design taking into account that the web is not a 'fixed' medium such as a desk top publishing package. There may be some javascript methods which you might be able to resort to such as 'equal length columns' over at the Project Seven website (that's if they have that extention still available for download. I don't know have'nt been there for a while)
Wrap your address in its own <div> and float it left and then wrap your icons in their own <div> and float them right (inline css stylng is shown below)
<div style="float: left; width: 400px;"> <img src="images/JAHMA-footer-logo.jpg" width="100" alt="logo" />P.O. Box 4 • Riverton, NJ 0807 • 856-786-9590 • Fax 856-786-6265</div>
    <div style="float: right; width: 200px;"><img src="images/email.png" alt="email" width="32" height="42" class="icon" />
    <img src="images/facebook.png" alt="facebook" width="42" height="42" class="icon" /></div>

General query on CSM and CSS flow timeout values

Hi all,
i have a SLB Application Processor Complex module on my Cisco 6504 which basically does some load balancing work. I am pretty new to this device but the configurations and setup looks somewhat similar to the Cisco ACE but i only have some experience with the Cisco CSS.
What i would like to know is what the equivalent command to the CSS "flow timeout" is on the CSM. Would that be the "idle timeout" command? I understand that the "pending timeout" is more to governing how long it takes to setup a 3 way handshake from client to server and the "idle timeout" is what i am looking for. Please correct me if i am wrong...
On the CSS, a flow timeout is on 16secs for most standard ports and 8 secs for HTTP. I would like to know what the default setting is for the CSM idle timeout?? Thanks alot!!
Daniel

Hi Daniel,
For Idle Timeout the the default is 1 hour/ 3600 sec.
As you know for Cicso CSM thare are 2 timers per vserver.
Idle timeout
Pending timeout.
If a connection is timed out it's because of one of these timers.
Idle timeout per vserver - If there is no traffic neither from client nor server. Idle connection timer duration in seconds; the range is from 0 (connection remains open indefinitely) to 13500000. The default is 1 hour. If you do not specify a duration value, the default value is applied.
Examples
This example shows how to specify an idle timer duration of 4000:
Cat6k-2(config-slb-vserver)# idle 4000
Pending timeout per vserver - is the max time allowed to complete the 3-way handshake.The default is 30 sec.Range is from 1 to 65535. This is a SLB virtual server configuration submode command. The pending connection timeout sets the response time for terminating connections if a switch becomes flooded with traffic. If the 3-way handshake does not complete within this time, the connection is dropped.
The CSM expect to see 2-way traffic within the pending timeout. If no traffic is received from the server, the session is removed.
Examples
This example shows how to set the number to wait for a connection to be made to the server:
Cat6k-2(config-slb-vserver)# pending 300
These are not counted as failures.
A failure is when the server does not respond or respond with a reset.
The CSM can hold 1 million connections in memory at the max.
So, if you set the idle timeout to 10 hours, your max connection rate is 1 M / 10 * 3600 = ~250 conn/sec.
Assuming they would all be open and then idle.
When the number of pending connections exceeds a configurable threshold, the CSM begins using the SYN cookies feature, encrypting all of the connection state information in the sequence numbers that it generates. This action prevents the CSM from consuming any flow state for pending (not fully established) TCP connections. This behavior is fully implemented in hardware and provides a good protection against SYN attacks.
Generic TCP termination
Some connections may not require TCP termination for Layer 7 load balancing. You can configure any virtual server to terminate all incoming TCP connections before load balancing those connections to the real servers. This configuration allows you to take advantage of all the CSM DoS features located in Layer 4 load-balancing environments.
To select the traffic type and appropriate timeout value, use the unidirectional command in the SLB virtual server submode.
[no | default] unidirectional
some protocol automatically set the 'unidirectional' function.
For example : UDP.
You can see if a vserver is unidirectional or bidirectional by doing a 'sho mod csm X vser name detail'
When a virtual server is configured as unidirectional, it no longer uses the pending timer. Instead, the idle timer will determine when to close idle or errant flows. Because the idle timer has a much longer default duration than the pending timer, be sure to set the idle timer to an appropriate value.
Use the command "show module csm slot# stats" to get the details of connection.
The statistics counters are 32-bit. Totals are accumulated since the last time the counters were cleared.
Examples
This example shows how to display SLB statistics:
Cat6k-2# show module csm 4 stats
Connections Created:       180
Connections Destroyed:     180
Connections Current:       0
Connections Timed-Out:     0
Connections Failed:        0
Server initiated Connections:
      Created:0, Current:0, Failed:0
L4 Load-Balanced Decisions:180
L4 Rejected Connections:   0
L7 Load-Balanced Decisions:0
L7 Rejected Connections:
      Total:0, Parser:0,
      Reached max parse len:0, Cookie out of mem:0,
      Cfg version mismatch:0, Bad SSL2 format:0
L4/L7 Rejected Connections:
      No policy:0, No policy match 0,
      No real:0, ACL denied 0,
      Server initiated:0
Checksum Failures: IP:0, TCP:0
Redirect Connections:0, Redirect Dropped:0
FTP Connections:           0
MAC Frames:
      Tx:Unicast:1506, Multicast:0, Broadcast:50898,
          Underflow Errors:0
      Rx:Unicast:2385, Multicast:6148349, Broadcast:53916,
          Overflow Errors:0, CRC Errors:0
Table mentioned below describes the fields in the display.
Table for "show module csm stats" Command Field Information
Field
Description
Connections Created
Number of connections that have been created on the CSM.
Connections Destroyed
Number of connections that have been destroyed on the CSM.
Connections Current
Number of current connections at the time the command was issued.
Connections Timed-Out
Number of connections that have timed out, which can occur for the following reasons:
•connection has been idle (in one or both directions) for longer than the configured idle timeout.
•TCP connection setup not completed successfully.
Connections Failed
Number of connections failed because the server did not respond within the timeout period, or the server replied with a reset.
Server initiated Connections
Number of connections created by real servers, the number of current connections, and the number of connections that failed (because the destination is unreachable).
L4 Load-Balanced Decisions
Number of Layer 4 load-balancing decisions attempted.
L4 Rejected Connections
Number of Layer 4 connections rejected because no real server was available
L7 Load-Balanced Decisions
Number of Layer 7 load-balancing decisions attempted.
L7 Rejected Connections: Total
Number of Layer 7 connections rejected.
L7 Rejected Connections: Parser
Number of Layer 7 connections rejected because the Layer 7 processor in the CSM ran out of session buffers to save the parsing state for multi-packet HTTP headers. The show module csm tech-support proc 3 command will show detailed buffer usage.
L7 Rejected Connections: Reached max parse len
Number of Layer 7 connections rejected because the HTTP header in the packet is longer than max-parse-len. When a virtual server is configured with HTTP persistent rebalancing or cookie matching/sticky, the CSM must parse to the end of HTTP header. The default max-parse-len value is 2000 bytes.
L7 Rejected Connections: Cookie out of mem:
Number of Layer 7 connections rejected because of no memory to store cookies. When a virtual server is configured with cookie matching, the CSM must save the cookie contents in memory.
L7 Rejected Connections: Cfg version mismatch
Number of Layer 7 connections rejected because part of the request was processed with an older version of the configuration. This counter should only increase after configuration changes.
L7 Rejected Connections: Bad SSL2 format:
Number of Layer 7 connections rejected because the request is using an unsupported SSL format or the format is not valid SSL.
L4/L7 Rejected Connections
Number of Layer 4 and Layer 7 connections rejected for policy related reasons:
No policy: connection rejected because the request matched a virtual server, but this virtual server did not have a policy configured.
No policy match: connection rejected because the request matched a virtual server, but the request did not match any policy configured on the virtual server.
No real: connection rejected because no real server was available to service the request
ACL denied: connection rejected because a request matched a policy with a client-access-list entry and the entry is configured to deny the request.
Server Initiated: connection initiated by a real server is rejected.
Checksum Failures
Number of checksum failures detected (there are separate counters for IP and TCP failures).
Redirect Connections
Number of connections redirected, and the number of redirect connections dropped.
FTP Connections
Number of FTP connections opened.
MAC Frames
Number of MAC frames received and transmitted on the CSM backplane connection.
For getting details on all of these commands kindy refer Catalyst 6500 Series Switch Content Switching Module Command Reference, 4.2 URL mentioned below:
http://cisco.biz/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/command/reference/cmdrfIX.html
Kindly Rate.
HTH
Sachin Garg

MDM 9.3 and CSS authentication

Hello All,
I installed MDM 9.3 selecting the MIX authentication option and everything works fine when I'm using internal authentication, I need to enable CSS authentication and this is what I did:
-Install Shared services 9.2 where the MDM server is running
-Update the system path and class path in the CSS section of the MDM console pointing to the right path
-Restart the server
Click on enable CSS, when I do this I'm getting this error:
LoadLibrary("E:\Hyperion\master Data Management\mdm_ntier_css_validator.dll") failed, the specified mudule could'n t be found.
I see the same error when I'm manually trying to register the specific dll doing this on a DOS command prompt window :
regsvr32 mdm_ntier_css_validator.dll
Any ideas?, any help would be really appreciated
Regards
Miguel Sanchez

Alan,
Thanks a lot for your reply, it was very helpful, I successfuly could register the mdm_ntier_css_validator.dll following your recommendations about paths and the %PATH% env variable, however when I'm trying to enable the CSS module on MDM I'm getting this error:
Exception Emdm_Exception with message 'Could not Initialize CSS. Error: 'com/hyperion/mdm/CSSInit (Unsupported major.minor version 49.0)'. Classpath: 'E:\Hyperion\Master Data Management\cssvalidator.jar;E:\Hyperion\common\CSS\9.2.0\lib\css-9_2_0.jar;E:\Hyperion\common\CSS\9.2.0\lib\ldapbp.jar;E:\Hyperion\SharedServices\9.2\client\lib\commons-httpclient.jar;E:\Hyperion\SharedServices\9.2\client\lib\commons-logging.jar;E:\Hyperion\common\XML\JAXM\1.1.1\dom4j.jar;E:\Hyperion\common\XML\JAXP\1.2.2\dom.jar;E:\Hyperion\SharedServices\9.2\client\lib\interop-common.jar;E:\Hyperion\SharedServices\9.2\client\lib\interop-sdk.jar;E:\Hyperion\SharedServices\9.2\client\lib\jakarta-slide-webdavlib.jar;E:\Hyperion\common\XML\JAXM\1.1.1\jaxm-api.jar;E:\Hyperion\common\XML\JAXM\1.1.1\jaxm-runtime.jar;E:\Hyperion\common\XML\JDOM\0.8.0\jdom.jar;E:\Hyperion\common\loggers\Log4j\1.2.8\lib\log4j-1.2.8.jar;E:\Hyperion\common\XML\JAXM\1.1.1\saaj-api.jar;E:\Hyperion\common\XML\JAXM\1.1.1\saaj-ri.jar;E:\Hyperion\common\XML\JAXP\1.2.2\sax.jar;E:\Hyperion\common\XML\JAXP\1.2.2\xalan.jar;E:\Hyperion\common\XML\JAXP\1.2.2\xercesImpl.jar;E:\Hyperion\common\XML\JAXP\1.2.2\xsltc.jar;E:\Hyperion\common\JCE\1.2.2\jce1_2_2.jar;E:\Hyperion\common\JRE\Sun\1.4.2\lib\jsse.jar;E:\Hyperion\common\JCE\1.2.2\local_policy.jar;E:\Hyperion\common\JCE\1.2.2\sunjce_provider.jar;E:\Hyperion\common\JCE\1.2.2\US_export_policy.jar;''
Is this error related to the .jar file replacement you are talking about?, if so, how can I get that file and the configuration instructions?
Thanks in advance
Miguel

Disable/Change DoS Settings

I was wondering if it would be possible to disable or change the DoS settings on the CSS. At the moment, it is flagging valid hosts for a SYN attack and I'd like to either change the definition of "SYN attack" to a higher count than 10 packets or disable that feature alltogether. Any help would be greatly appreciated. Thanks.

Thanks for the response Gilles.
We've been looking at this and have started to zero in on the cause of the incomplete handshakes.
The issue we see now is that in our environment, there is no way to completely eliminate incomplete handshakes. Our hosts are connected over a private satellite network which is obviously sensitive to atmospheric attenuation. This being the case, there will always be the opportunity to have incomplete handshakes and the hosts will then be flagged for a SYN attack.
Here's some background on the issue. The sites that are on the CSS SYN Attack List either have been connected or will end up connecting after subsequent attempts. All of the sites have been connected and transacting with our server at one time or another so the routes are intact.
One of our technical requirements is that when a site connects, it needs to stay on the particular port and server for at least 24 hours. Any jumping from port to port is unacceptable which is exactly what we've seen from sites that have been flagged for SYN attacks.
I have a couple questions. First, how exactly does the CSS treat a host that has been flagged for a SYN attack? From what we've experienced, it seems that it reclaims all resources allocated for the site (FCBs) as well as removing it from the sticky table. If this is the case, is there any way to get the CSS to not drop the site from the sticky table so that it doesn't have the opportunity to connect to a different port/server on subsequent connection attemps?
Thanks in advance for any information.

CSS false syn attack behavior

Hi all,
We are having an issue with our CSS11501,version sg0810106.
our web app is using alot of web requests (up to one every 15 seconds )
for some reason occasionally our session is being dropped, and we can't connect for few minutes.
i just found out that the source ip address of the client is showed as a source for "syn attack" when i issue "show dos".
does the CSS block my legitimate traffic as suspected syn attack?
if so how can i work around it?
why does it pick it as syn attack how can i improve its false detection?
Can anyone help me with this?
thanks,
Lior

Thanks Gilles,
Indeed the CSS doesn't block anything (I wish it would have been more explicit in the documents, except writing that the dos feature cannot be disabled).
However It was a problem that caused by the CSS and I write this here just in case someone else will encounter the same.
I use CSS for many years now, but this is the first time that i used it on a very connection intensive application and in such an envirounment, and this is why the issue became a visible problem.
CSS and ASA was connected on the same network, with the CSS interface configured as a default gateway on the hosts.
However the CSS sends ICMP redirects packets to the hosts injecting a "better" route to different external IP addresses using the ASA interface IP address. That cause connections from different IP addresses to be blocked for a period of 10 minutes (default time that an ICMP redirect injected route will stay in the routing table of windows server2003) because the routing table on the host has a "better" route which is not the CSS's interface.
Together with the fact that I was using sticky session content rule based on sticky-srcip, that caused an outage for 10 minutes for different IP addresses on a regular basis.
I have sorted it out by disabling icmp Redirect on the windows hosts registry:
"\\HKLM\system\CurrentControlSet\Services\Tcpip\Parameters\"
change EnableICMPRedirect to "0" by default its "1"
reboot the hosts, and you will see an immediate drop in syn attack indications on the CSS, hinting that the problem has been solved.
I read somewhere that there's an option to disable ICMP redirect packets from the CSS as well, but the other trick did that for me.
Thanks again gilles for your enlightment
Regards,
Lior

DOS Attack Behavior and CSS11506

Some Security Guy decided this morning to make a full scan for any exploits using Nessus the *NIX tool.
After he reached our two CSS11506 the both deny http, ftp or ssh sessions. The Content Redirection is still working allthough some user report it being slower than usual. Using the serial console connection i can still access the CLI.
Q: Is the behavior of not accesible services like ftp,ssh,http,etc. the cause of an successful exploit or is this a "shutdown" by design.
If this is a design behavior, can i resume the previous behavior with a command in config or priviledged mode? My current option is only a restart of both CSS.
Log from today:
MAY 3 11:05:51 1/1 1494 NETMAN-4: Did not receive identification string from <Source IP>
MAY 3 11:05:51 1/1 1495 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs.
MAY 3 11:05:51 1/1 1496 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs.
MAY 3 11:05:51 1/1 1497 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs. GET / HTTP/
1.0
MAY 3 11:06:02 1/1 1498 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs. SSH-9.9-Nes
susSSH_1.0
MAY 3 11:07:33 1/1 1509 NETMAN-0: Read from socket failed: errno = 0x36
MAY 3 11:09:22 1/1 1510 NETMAN-4: Did not receive identification string from <Source IP>
MAY 3 11:17:05 1/1 1511 NETMAN-0: Couldn't obtain random bytes (error 604389476)
MAY 3 11:17:05 1/1 1512 NETMAN-0: key_free: bad key type -1899582736
MAY 3 11:17:05 1/1 1513 NETMAN-4: Did not receive identification string from <Source IP>

Too bad regarding the design issue, that means i have to restart both CSS.
When i last checked the VIP Adresses and show summary everything was looking normal. The two css are still running with bugged ssh/http service but content redirection is still working fine. That is at least the most important thing about it.
The "attack" was only this morning so everything is okay by now. But before rebooting the machines i wanted to verify if this was on purpose or like it seems to be an DOS Exploit in some way.
Regarding the Update i will check that out tomorrow. If you would like some special information for debugging purpose just let me know before i will restart the machines.
Thanks for the Feedback,
Roble

CSS to XSS Conversion Utility

Dose anyone know where I can find a utility which converts .css files to .xss format?
Thanks

I don't know of such a utility - the UIX team does not have one. However, you are not necessarily required to convert your CSS documents to XSS. If you just want to include some CSS styles in a uiXML page, you can do so by explicitly using the HTML link element, eg:
<document xmlns="http://xmlns.oracle.com/uix/ui"
          xmlns:html="http://www.w3.org/TR/REC-html40">
<metaContainer>
   <head>
   <contents>
     
     <html:link rel="stylesheet" type="text/css" href="/context-root/foo.css"/>
   </contents>
   </head>
</metaContainer>
<contents>

</contents>
</document>Andy

CSS Connection Reset

Hi all,
Is there any timeout, in content's, service, whereelse, wich by default is 20 seconds?
I have tried to change the "flow-timeout-multiplier" command to Zero.
I've been made load-charge tests using some scripts, and im always getting "connection reset" after 20 seconds.
I've have done the same test without the CSS, directly to one aplication server, and this is not appearing.
I'm counting with ur knowledge to give me some ideas on this.
Best Regards,
Bruno PetrÃ³nio

Hi all,
Thanks for ur reply, which give me some ideias where to look.
The 20 seconds issue disappear, and now i have the following scenario:
NET_Client_Side --- CSS --- NET_Server_Side
10.1.2.128 / 25 --- CSS --- 10.1.1.0 / 24
The following description is only seen in a Testing Load Charge environment, wich is made by 5 PC's , in the Client Side Network, and 2 Apache Servers in the Server Side Network.
I had compression and was using ArrowPoint Cookie's, to stuck the sessions in the browsers.
One of the testing PC's is sending information to another 4 PC's, making them to start sessions to an url, simulating the browsing page, from the user authentication to the DataBase writing, and then exiting the session.
They use some random algorithm to make more real the browsing, making some sleep functions simulating the normal delay user typing/browsing.
This was working fine, when they was trying 1 user at a time. No errors was ocurred.
But then, they try to perform about 225 sessions by PC, which means 900 users at the same time.
The script works fine for some time, and then we see, that the number os sessions is decreasing in time.
I will attach the configuration i have in the CSS, and some logs in the apache server, and on the script.
I could not correlate them in time, since they move forward the tests with out the Load Balancer, wich works fine. Unfortunatly for me.. :(
So, i suppose something is happening here, but no DOS Vip/Service ip's was seen in the "show dos" command neither "show log sys.log"
Just another question, i was searching for Product limitation by hardware specifications, and could not find it, beside i was that feeling i had see some time ago a table with that type of information in cisco site.
Best Regards,
Bruno PetrÃ³nio

CSS DoS

Similar Messages

Maybe you are looking for