CSS false syn attack behavior

Similar Messages

• CSS 11050 SYN Attacks and auto-reboot

  Running software version 5.00 build 2 to load balance two web servers. The DOS log shows SYN attack activity--with one incident logging 62 "attacks". I read that if this value reaches a threshold, then the machine will reboot. Can someone tell me what the guidelines are for this? Are there any other events that can cause the switch to auto reboot? Thanks!

  First, you should definitely upgrade.
  5.0(2) is VERY VERY OLD.
  Next, a box never reload by itself on purpose or because it reached a certain threshold.
  If there is an auto-reboot, this means the box crash and this is not normal.
  Gilles.

• CSS wrongly reports SYN attacks

  Hi all,
  in our environment we have a CSS 11800 which is connected to 3 servers which are all running the same
  services. Every night there is a log rotation and therefor the services are taken down one by one.
  The CSS forwards traffic to the service even if it's down.
  From the time the sevice is down i can see always a huge amount of SYN attacks reported in the traplog.
  The reason for this is that the server sends a RST for every SYN request (which is normal as the port
  is down).
  We are running on SW version 5.00 build 63.
  Can you tell me how long it takes until the CSS detects the service as down and if there is a newer release which maybe detects a RST as a valid response to a SYN and therefor doesn't report a SYN attack.

  I don't see why you do not shutdown the service manually during maintenance ?
  Regarding how fast the CSS detect a service down it depends on the sort of keepalive you have configured.
  If you are using icmp keepalive the CSS may still believe the service is active if it continues to respond to ping.
  Again the fastest way for the CSS to detect a service down is to configure it be down.
  No release will accept the RST.
  This is your job to make sure the CSS does not forward traffic to a service down.
  Gilles.

• Forefront TMG detected a possible SYN attack and will protect the network accordingly

  Hi ,  Some times here internet is not working for using through TMG 2010. but Local Host Internet is working. then it should restart the 
  Microsoft Forefront TMG Control with related Services. then again users can access the Internet  through TMG.
  I check the Event Viewer in Server. it shows below Error Log.
  Forefront TMG detected a possible SYN attack and will protect the network accordingly
  what should for this ?
  Regards, COMDINI

  Hello,
  An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server and not completing the TCP handshake, leaving the TCP connections half-open.
  Please enable logging to identified this hosts and then check if it is infected by viruses or malware programs.
  Please see the value of the number of Maximum half-open TCP connections in Flood Mitigation settings for more information.
  Once your problem is solved, you have to see "Forefront TMG is no longer experiencing a SYN attack." message.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Microsoft Student Partner 2010
  / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator:
  Security
  Microsoft Certified Systems Engineer:
  Security
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows 7, Configuring
  Microsoft Certified IT Professional: Enterprise
  Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• Duplicate SYN attacks from Outside to Outside

  Hi Everyone,
  We have an FTP server that sits in our DMZ.  This Server has a DMZ interface and an external interface.  When trying to access the server from the internet on its external address i am getting alot of Duplicate SYN attacks.  They seem to be coming all from the same source and port to the same destination and port.
  As part of the testing i first took out any references to the FTP server in my Access rules on the ASA.  I then tried to FTP to the server from an outside internet connection and as expected get the following in the log:
  4
  Mar 01 2013
  10:23:18
  194.80.130.xx
  46867
  78.24.112.XX
  21
  Deny tcp src outside:194.80.130.XX/46867 dst outside:78.24.112.XX/21 by access-group "outside_access_in" [0x0, 0x0]
  I then highlighted this entry and created an access rule for it (but changed the source port to any rather than a specific one).  When i then try and FTP to the server i get lots of SYN attacks which says the following:
  4
  Mar 01 2013
  10:27:29
  194.80.130.XX
  46973
  78.24.112.XX
  21
  Duplicate TCP SYN from outside:194.80.130.XX/46973 to outside:78.24.112.XX/21 with different initial sequence number
  I am not sure why I am getting duplicate SYN attacks.  I have similar servers in the DMZ that do the same thing and they seem to be working fine.  I am pretty sure this is not actually a DOS attack.  I also have spoken to the team who manage the server and they have confirmed that the external IP is setup correctly on the server (its not that the external IP does not exist and just loops).
  There is also NAT'ing setup on the ASA that NATs the dmz IP to the external IP and vice versa.
  I have also noticed that whenever i create a new rule on the outside interface on my ASA it automatically adds the same descripton from another rule on the outside interface.  What does this mean?  Why could it be copying a description from anothe rule?
  Your advice would be much appreciated.

  Output from packet-tracer to outside address 78.24.112.xx 
  It seems as though the NAT to the DMZ address is just not working.  I have set a NAT rule up "before network object NAT" rule and also set a simple object NAT, but still getting the error.
  Phase: 1
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_in in interface outside
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any object csdpr1ft-ext
  object-group service DM_INLINE_SERVICE_7
  service-object tcp destination eq ssh
  service-object ip
  service-object tcp destination eq ftp
  Additional Information:
  Phase: 2
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 3
  Type: INSPECT
  Subtype: inspect-ftp
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect ftp
  service-policy global_policy global
  Additional Information:
  Phase: 4
  Type: FOVER
  Subtype: standby-update
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 26135657, packet dispatched to next module
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  Action: allow

• Protected servers under syn attack!!

  The firewall dashboard has a window at the right lower portion of ASDM and it displays Top 10 protected servers under SYN attack.  Refer to the attached picture.
  In this scenario the server IP 82.214.154.223 seems to be getting SYN attacks from one of my internal network PC. This server 82.214.154.223 does not belong to us, a whois query tells me that the IP originates from Poland with no hostname address.
  I should have been seeing attacks only for servers belonging to my network right? Like an attack from Outside public IP towards my Server public IP, or is it that this feature provides two way statistics where it also displays attack originating from my lan towards outside world. From what I see, I feel it displays two way attacks. Correct me if I am wrong.
  Regards

  Hi,
  below is the output of the # sh threat-detection rate command. can anyone explain me the vulnerabilities and risks by looking at the figures below. thanks
                            Average(eps)    Current(eps) Trigger      Total events
    10-min ACL  drop:                  1               0       0               672
    1-hour ACL  drop:                  1               0       0              4654
    10-min SYN attck:                  0               0       0               386
    1-hour SYN attck:                  0               0       0              3428
    10-min  Scanning:                  2               1   55503              1248
    1-hour  Scanning:                  2               2   18455              9177
    10-min Bad  pkts:                  0               0       0               184
    1-hour Bad  pkts:                  0               0       0              1089
    10-min  Firewall:                  1               0       0               862
    1-hour  Firewall:                  1               1       0              5749
    10-min DoS attck:                  0               0       0                 6
    1-hour DoS attck:                  0               0       0                 6
    10-min Interface:                  1               0       0              1034
    1-hour Interface:                  1               1       0              6616
  regards,
  AAMIR

• ASA5505, SYN attack, ISP and IPS module

  Our 5505 is currently being hit by a SYN attack from surprise, surprise, China.  The attack easily brings down the 5505 by hitting the 10,000 connection limit of the box.  I am currently using the shun command to try to mitigate the problem but it is not much help.  It converts the 10,000 connections into 12-15k dropped packets per second which doesn't crash the box but pretty much makes it unusable. 
  I have seen some examples on using service policies to set connection and embryonic limits but I don't think they will work for me because the attacks come from several IPs and use several different ports.  The attacks don't seem to be pinpointing any particular server or service.  Seems like just basic DoS of our service.  Besides, the feedback from people who have tried this doesn't seem too convincing.
  So I have two questions:
  1) My ISP is unwilling and/or unable to do anything.  They suggest I email the abuse mailbox from the offending ISP.  Just for grins, I did send an email and it promptly came back marked "mailbox full" which is quite funny I thought.
  2) Will adding the IPS module help here?  I am hoping that the processing of the dropped packets would move to the module and leave the main processor of the ASA free to do its usual NAT and firewall functions.
  Any and all advice is welcome.
  Thanks,
  Diego

  Hi Diego,
  As Julio mentioned, info has to be there. Do you have the 'show xlate' when the issue was seen? In such cases, along with xlate table, you can check connection for hosts making unusual number of connections (show connection count/show connection all). Here are few useful commands in such scenarios:
  show local-host connection udp 100-10000          << Gives host with total UDP connections b/w 100-1000
  show local-host connection tcp 100-10000          << Same info for hosts making TCP connections
  show local-host connection embryonic 100-10000    << hosts with 100-1000 embryonic connections
  Change the range as per need.
  Sourav

• SNMP - Scan and Syn Attack OIDs

  Hello support community,
  Im looking for snmp oids for scan and syn attack, im trying to build a graph with cacti that would represent a historical with DOS and scan attacks. I have looked MIB and i dont see anything jumping at me about these OIDs. Can you please help me on finding these?
  Thanks,
  Delmiro

  I opened a casa with TAC, and they stated that these oids are not supported. I thought i would post my findings here incase anyone else was looking for them.

• SYN attack

  Hi All,
  I have router and inside interface is connected to firewall.
  Last week i had attack one of my internal server  and i also loosing connectivity to inside interface of the firewall.
  But today suddenly internet was down when checked link was up but i  also not able to ping to router inerface.
  When checked in firewall there was a log indicating SYN attack but source and destination ip was not mentioned.
  Can anybody suggest.

  Prevent the attack itself ?
  No
  Mitigate the impact on services ?
  to some extent yes. read the link below
  The agressor can always oversaturate your internetlink.
  It is just a numbers game, a SYN packet size is X your link has size Y and can traverse Z packets per second.
  Then the agressor just needs to send enough syn packets through to eat up the resources of Y or Z wichever comes first.
  However that is not the normal way of using syn attacks since there are faster ways to oversaturate the link.
  the normal way of using syn attacks is to steal resources away from the server that is under attack by not establishing a full tcp connection.
  This is mitigated in the firewall who sits inbetween the agressor and the server and answers the Syn packets and only lets through the ones that are legit.
  http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html
  Good luck
  HTH

• DOS Attack Behavior and CSS11506

  Some Security Guy decided this morning to make a full scan for any exploits using Nessus the *NIX tool.
  After he reached our two CSS11506 the both deny http, ftp or ssh sessions. The Content Redirection is still working allthough some user report it being slower than usual. Using the serial console connection i can still access the CLI.
  Q: Is the behavior of not accesible services like ftp,ssh,http,etc. the cause of an successful exploit or is this a "shutdown" by design.
  If this is a design behavior, can i resume the previous behavior with a command in config or priviledged mode? My current option is only a restart of both CSS.
  Log from today:
  MAY 3 11:05:51 1/1 1494 NETMAN-4: Did not receive identification string from <Source IP>
  MAY 3 11:05:51 1/1 1495 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs.
  MAY 3 11:05:51 1/1 1496 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs.
  MAY 3 11:05:51 1/1 1497 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs. GET / HTTP/
  1.0
  MAY 3 11:06:02 1/1 1498 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs. SSH-9.9-Nes
  susSSH_1.0
  MAY 3 11:07:33 1/1 1509 NETMAN-0: Read from socket failed: errno = 0x36
  MAY 3 11:09:22 1/1 1510 NETMAN-4: Did not receive identification string from <Source IP>
  MAY 3 11:17:05 1/1 1511 NETMAN-0: Couldn't obtain random bytes (error 604389476)
  MAY 3 11:17:05 1/1 1512 NETMAN-0: key_free: bad key type -1899582736
  MAY 3 11:17:05 1/1 1513 NETMAN-4: Did not receive identification string from <Source IP>

  Too bad regarding the design issue, that means i have to restart both CSS.
  When i last checked the VIP Adresses and show summary everything was looking normal. The two css are still running with bugged ssh/http service but content redirection is still working fine. That is at least the most important thing about it.
  The "attack" was only this morning so everything is okay by now. But before rebooting the machines i wanted to verify if this was on purpose or like it seems to be an DOS Exploit in some way.
  Regarding the Update i will check that out tomorrow. If you would like some special information for debugging purpose just let me know before i will restart the machines.
  Thanks for the Feedback,
  Roble

• CSS 11052 - syn & synack

  I have 2 CSS 11052 making server load balancing at layer 3 (with four web servers). I have a VIP addr to talk with clients and 2 FW1 "next generation) in Win200 servers between the CSS and the clients. My clients have some problems in the the establish of the session (http or https). When the session are established they work well.
  With a sniffer near the client i saw the client send 2, 3, or more "syn" till they have the "synack" and the session are established.
  With a sniffer between the CSS and the web servers i saw the "syn's" that are sent by the client and i saw "synack" for every "syn" till the session are established.
  Where are the "synack" sent by the web servers?
  Any idea?

  The servers are connected to a 3524XL switch.
  The CSS is the default gateway to the servers.
  The server can bypass the CSS if we change the gateway, because the firewalls are in the same network.
  I don´t have any ACL in the CSS
  The services are alive.
  I can ping the VIP.
  CONFIG:
  CSS-1A# version
  Version: ap0500033 (5.00 Build 33)
  Flash (Locked): 5.00 Build 33
  Flash (Operational): 5.00 Build 33
  Type: PRIMARY
  Licensed Cmd Set(s): Standard Feature Set
  SSH Server
  CSS-1A# sh boot
  !************************ BOOT CONFIG ************************
  ip address 192.168.7.242
  subnet mask 255.255.255.0
  primary boot-file ap0500033
  primary boot-type boot-via-disk
  CSS-1A# sh run
  !Generated on 02/26/2003 19:32:32
  !Active version: ap0500033
  configure
  !*************************** GLOBAL ***************************
  ip redundancy
  no restrict web-mgmt
  no restrict xml
  restrict ftp
  restrict telnet
  restrict user-database
  restrict snmp
  app session 192.168.100.2
  app
  ip route 0.0.0.0 0.0.0.0 192.168.1.254 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  bridge vlan 3
  description "HeartBeat"
  interface e2
  phy 100Mbits-FD
  bridge vlan 2
  redundancy-phy
  description "UP-Link to FW01N1 via Switch-3A"
  interface e3
  phy 100Mbits-FD
  bridge vlan 2
  interface e4
  phy 100Mbits-FD
  bridge vlan 2
  interface e5
  phy 100Mbits-FD
  bridge vlan 2
  interface e6
  phy 100Mbits-FD
  bridge vlan 2
  interface e7
  phy 100Mbits-FD
  bridge vlan 2
  interface e8
  phy 100Mbits-FD
  bridge vlan 4
  !************************** CIRCUIT **************************
  circuit VLAN3
  ip address 192.168.100.1 255.255.255.0
  redundancy-protocol
  circuit VLAN2
  redundancy
  ip address 192.168.1.250 255.255.255.0
  circuit VLAN4
  ip address 10.6.1.60 255.255.255.128
  !************************** SERVICE **************************
  service WEB01_HTTP
  ip address 192.168.1.31
  keepalive type tcp
  keepalive port 80
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB01_HTTP&HTTPS
  ip address 192.168.1.31
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB01_HTTPHEADwebinfo
  ip address 192.168.1.31
  keepalive type script ap-kal-httplist "192.168.1.31 /webinfo.asp"
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB01_HTTPS
  ip address 192.168.1.31
  keepalive type tcp
  keepalive port 443
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB02_HTTP
  ip address 192.168.1.32
  keepalive type tcp
  keepalive port 80
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB02_HTTP&HTTPS
  ip address 192.168.1.32
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB02_HTTPHEADwebinfo
  ip address 192.168.1.32
  keepalive type script ap-kal-httplist "192.168.1.32 /webinfo.asp"
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB02_HTTPS
  ip address 192.168.1.32
  keepalive type tcp
  keepalive port 443
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB03_HTTP
  ip address 192.168.1.33
  keepalive type tcp
  keepalive port 80
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB03_HTTP&HTTPS
  ip address 192.168.1.33
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB03_HTTPHEADwebinfo
  ip address 192.168.1.33
  keepalive type script ap-kal-httplist "192.168.1.33 /webinfo.asp"
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB03_HTTPS
  ip address 192.168.1.33
  keepalive type tcp
  keepalive port 443
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB04_HTTP
  ip address 192.168.1.34
  keepalive type tcp
  keepalive port 80
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB04_HTTP&HTTPS
  ip address 192.168.1.34
  keepalive frequency 15
  keepalive maxfailure 2
  keepalive type script ap-kal-dcheck "192.168.1.34"
  active
  service WEB04_HTTPHEADwebinfo
  ip address 192.168.1.34
  keepalive type script ap-kal-httplist "192.168.1.34 /webinfo.asp"
  keepalive frequency 15
  keepalive maxfailure 2
  active
  service WEB04_HTTPS
  ip address 192.168.1.34
  keepalive type tcp
  keepalive port 443
  keepalive frequency 15
  keepalive maxfailure 2
  active
  !*************************** OWNER ***************************
  owner www.cidadebcp.pt
  content Rule_HTTP
  vip address 192.168.1.100
  protocol tcp
  port 80
  advanced-balance sticky-srcip
  add service WEB01_HTTP&HTTPS
  add service WEB02_HTTP&HTTPS
  add service WEB03_HTTP&HTTPS
  add service WEB04_HTTP&HTTPS
  active
  content Rule_HTTPS
  vip address 192.168.1.100
  protocol tcp
  port 443
  advanced-balance sticky-srcip
  add service WEB02_HTTP&HTTPS
  add service WEB01_HTTP&HTTPS
  add service WEB03_HTTP&HTTPS
  add service WEB04_HTTP&HTTPS
  active
  SHOW SUMMARY
  CSS-1A# sh summ
  Global Bypass Counters:
  No Rule Bypass Count: 1406999
  Acl Bypass Count: 0
  Owner Content Rules State Services Service Hits
  www.?????????.pt Rule_HTTP Active WEB01_HTTP&HTTPS 23851961
  WEB02_HTTP&HTTPS 23432601
  WEB03_HTTP&HTTPS 25224983
  WEB04_HTTP&HTTPS 20882126
  Rule_HTTPS Active WEB01_HTTP&HTTPS 34624556
  WEB02_HTTP&HTTPS 32311666
  WEB03_HTTP&HTTPS 33279661
  WEB04_HTTP&HTTPS 30738365
  SHOW SERV SUMMARY
  CSS-1A# show serv summ
  Service not found
  I hope that this information is enough to you.
  If you want i can send you the same information by mail. Tell me if necessary.

• Possible SYN Attack

  I am getting an alert from 2 of my servers. The alert is worded as such: [ID 995438 kern.warning] WARNING: High TCP connect timeout rate! System (port 25) may be under a SYN flood attack!
  My system is Version 5.9 patch level Sun Generic_122300-38
  I have found other postings with this very issue, but they're pertaining to version 5.10. They refer to patch 11999-03, which is now obsolete, however, this patch will not work for my system.
  Can someone help point me in the right direction to the patch that will work for my system?

  Solaris by default is not tuned particularly well for handling large numbers of tcp connections.
  So if the servers are busy, that could easily trigger these messages.
  Try putting the following into a startup script to adjust the tuning.
  I have found it helpfull on our high activity web/proxy servers.
  /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 8192
  /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 2048

• Half-open SYN Attack 3050.0

  Is there a trick to getting the signature 3050 ?half open syn flood? to produce an alert?
  The Cisco Intrusion Prevention System is on version 5.1(1p1) S229.0.
  We have tuned the signature to alert at 2048 half open connections.
  syn-flood-max-embrionic: 2048 default: 5000
  A ?show statistics virtual-sensor? shows that
  TCP streams currently in the embryonic state = 2871?
  but still no alert appears on the console.
  The signature use the normalizer engine and the event-action is set to ?produce-alert?
  Any help regarding this would be appreciated.

  What type of sensor are using?
  On the ASA-SSM-10 and ASA-SSM-20, the normalizer signatures will not be triggered (including the Syn Flood signature).
  The ASA-SSMs relie on the TCP Normalization features of the ASA itself to monitor for TCP anomalies including SYN Floods.
  For other sensors realize that the SYN Flood signature is tracked on a per server and per port basis. So with a 2048 setting there must be 2048 embryonic connections to a specific port on a specific server IP.
  The 2871 number you are seeing in the statistic is for ALL embryonic connections to ALL ports on ALL server IPs. If this is a deployed sensor it is unlikely that all 2871 embryonic connections from the statistics are to the same server IP/port.

• CSS DoS illegal Src Attack

  Hi,
  On my CSS 11506, logs are full of these kind of error messages:
  "NETMAN-5: Enterprise:DOS Attack:Illegal Src -> 5 times". It also generates a trap every seconds, flooding our syslogd and trapd server.
  The first information one would obviously require is which IP address, and on which interface, is causing this error message.
  I had a look at the "sh dos" command and I can see the counter for "Illegal Src Attacks" increasing (quite logical), BUT then in the detailed events, I can't see any of these events, I only see few SYN Attacks detailed events.
  So does anyone know where I can get the details for these "Illegal Src Attacks" events ?
  Many Thanks for any help,
  Regards,
  Arno

  Hi to all,
  i desperate need your help.
  I got a very similar problem with CSS.
  Same DoS attack. (many Syn Attack visible in the "show dos" detailed command and many Src Attack but only in the counters)
  The strange thing is that the ip address involved are unicast ip (not multicast).
  I've not understand many things.
  The first is , what's the reason why CSS see that 10.6.27.133 is an Illegal Src??? (It's in this case the .133 is the ip address of interface 6/9 of CSS)
  OS Attack Event  1:
  First Attack: 31/08/2010 22:52:24
  Last Attack:  31/08/2010 22:52:34
  Source Address:             10.6.27.133 Destination Address:         10.6.84.69
  Event Type:                 Illegal Src Total Attacks:                        3
  Someone can help me to understand?
  Below is the "show dos" with one event as an example
  Total Attacks: 33170637
  SYN Attacks:                 14,843,912 Maximum per second:                 284
  LAND Attacks:                         0 Maximum per second:                   0
  Zero Port Attacks:                    0 Maximum per second:                   0
  Illegal Src Attacks:         18,325,982 Maximum per second:                 224
  Illegal Dst Attacks:                743 Maximum per second:                   4
  Smurf Attacks:                        0 Maximum per second:                   0
  DOS Attack Event 12:
  First Attack: 31/08/2010 22:18:34
  Last Attack:  31/08/2010 22:31:26
  Source Address:             10.6.67.167 Destination Address:     113.213.43.145
  Where do you suggest to investigate??
  Many thanks,
  M.G.

• Getting logs for DOS Attack:Sync Attack on cisco CSS 11501 frequently.

  Hi ,
  Since couple of weeks , i am getting below DOS attack logs on cisco CSS.Can anyone help me out about how can we avoid this? and how to deal with it.
  04/23/2011 17:27:28:Enterprise:DOS Attack:SYN Attack -> 10 times
  04/23/2011 17:30:15:Enterprise:DOS Attack:SYN Attack -> 10 times
  04/24/2011 11:20:32:Enterprise:DOS Attack:SYN Attack -> 11 times
  04/24/2011 11:24:48:Enterprise:DOS Attack:SYN Attack -> 12 times
  04/24/2011 15:30:42:Enterprise:DOS Attack:SYN Attack -> 10 times
  Thanks
  Manish

  Hi Nicolas,
  Why i am asking about DOS attack as i am facing some issues for the 2 VIPs configured in cisco CSS 11501.
  Can you help me troubleshooting the issue?
  I have coming across some Load Balancing issues for the 2 VIPS configured on Cisco CSS11501.
  We  have cisco CSS 11501. We have 2 VIPs configured on it for FE and BE  servers.Now Client calls to FE VIP and LB forwarding it to server and  then FE server calls the BE VIP which goes through the same LB and  forward to BE server under the VIP.When we start load test, we have  observed after 2 hour test, application team getting HTTP timeout.As  this application is used by Call center so getting timeout is bad.
  Need to troubleshoot this issue if there is any problem from LB End.
  Please find the attached file for VIP configs.