CSS false syn attack behavior
Hi all,
We are having an issue with our CSS11501,version sg0810106.
our web app is using alot of web requests (up to one every 15 seconds )
for some reason occasionally our session is being dropped, and we can't connect for few minutes.
i just found out that the source ip address of the client is showed as a source for "syn attack" when i issue "show dos".
does the CSS block my legitimate traffic as suspected syn attack?
if so how can i work around it?
why does it pick it as syn attack how can i improve its false detection?
Can anyone help me with this?
thanks,
Lior
Thanks Gilles,
Indeed the CSS doesn't block anything (I wish it would have been more explicit in the documents, except writing that the dos feature cannot be disabled).
However It was a problem that caused by the CSS and I write this here just in case someone else will encounter the same.
I use CSS for many years now, but this is the first time that i used it on a very connection intensive application and in such an envirounment, and this is why the issue became a visible problem.
CSS and ASA was connected on the same network, with the CSS interface configured as a default gateway on the hosts.
However the CSS sends ICMP redirects packets to the hosts injecting a "better" route to different external IP addresses using the ASA interface IP address. That cause connections from different IP addresses to be blocked for a period of 10 minutes (default time that an ICMP redirect injected route will stay in the routing table of windows server2003) because the routing table on the host has a "better" route which is not the CSS's interface.
Together with the fact that I was using sticky session content rule based on sticky-srcip, that caused an outage for 10 minutes for different IP addresses on a regular basis.
I have sorted it out by disabling icmp Redirect on the windows hosts registry:
"\\HKLM\system\CurrentControlSet\Services\Tcpip\Parameters\"
change EnableICMPRedirect to "0" by default its "1"
reboot the hosts, and you will see an immediate drop in syn attack indications on the CSS, hinting that the problem has been solved.
I read somewhere that there's an option to disable ICMP redirect packets from the CSS as well, but the other trick did that for me.
Thanks again gilles for your enlightment
Regards,
Lior
Similar Messages
-
CSS 11050 SYN Attacks and auto-reboot
Running software version 5.00 build 2 to load balance two web servers. The DOS log shows SYN attack activity--with one incident logging 62 "attacks". I read that if this value reaches a threshold, then the machine will reboot. Can someone tell me what the guidelines are for this? Are there any other events that can cause the switch to auto reboot? Thanks!
First, you should definitely upgrade.
5.0(2) is VERY VERY OLD.
Next, a box never reload by itself on purpose or because it reached a certain threshold.
If there is an auto-reboot, this means the box crash and this is not normal.
Gilles. -
CSS wrongly reports SYN attacks
Hi all,
in our environment we have a CSS 11800 which is connected to 3 servers which are all running the same
services. Every night there is a log rotation and therefor the services are taken down one by one.
The CSS forwards traffic to the service even if it's down.
From the time the sevice is down i can see always a huge amount of SYN attacks reported in the traplog.
The reason for this is that the server sends a RST for every SYN request (which is normal as the port
is down).
We are running on SW version 5.00 build 63.
Can you tell me how long it takes until the CSS detects the service as down and if there is a newer release which maybe detects a RST as a valid response to a SYN and therefor doesn't report a SYN attack.I don't see why you do not shutdown the service manually during maintenance ?
Regarding how fast the CSS detect a service down it depends on the sort of keepalive you have configured.
If you are using icmp keepalive the CSS may still believe the service is active if it continues to respond to ping.
Again the fastest way for the CSS to detect a service down is to configure it be down.
No release will accept the RST.
This is your job to make sure the CSS does not forward traffic to a service down.
Gilles. -
Forefront TMG detected a possible SYN attack and will protect the network accordingly
Hi , Some times here internet is not working for using through TMG 2010. but Local Host Internet is working. then it should restart the
Microsoft Forefront TMG Control with related Services. then again users can access the Internet through TMG.
I check the Event Viewer in Server. it shows below Error Log.
Forefront TMG detected a possible SYN attack and will protect the network accordingly
what should for this ?
Regards, COMDINIHello,
An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server and not completing the TCP handshake, leaving the TCP connections half-open.
Please enable logging to identified this hosts and then check if it is infected by viruses or malware programs.
Please see the value of the number of Maximum half-open TCP connections in Flood Mitigation settings for more information.
Once your problem is solved, you have to see "Forefront TMG is no longer experiencing a SYN attack." message.
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student Partner 2010
/ 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator:
Security
Microsoft Certified Systems Engineer:
Security
Microsoft Certified Technology Specialist:
Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise
Administrator
Microsoft Certified IT Professional: Server Administrator
Microsoft Certified Trainer -
Duplicate SYN attacks from Outside to Outside
Hi Everyone,
We have an FTP server that sits in our DMZ. This Server has a DMZ interface and an external interface. When trying to access the server from the internet on its external address i am getting alot of Duplicate SYN attacks. They seem to be coming all from the same source and port to the same destination and port.
As part of the testing i first took out any references to the FTP server in my Access rules on the ASA. I then tried to FTP to the server from an outside internet connection and as expected get the following in the log:
4
Mar 01 2013
10:23:18
194.80.130.xx
46867
78.24.112.XX
21
Deny tcp src outside:194.80.130.XX/46867 dst outside:78.24.112.XX/21 by access-group "outside_access_in" [0x0, 0x0]
I then highlighted this entry and created an access rule for it (but changed the source port to any rather than a specific one). When i then try and FTP to the server i get lots of SYN attacks which says the following:
4
Mar 01 2013
10:27:29
194.80.130.XX
46973
78.24.112.XX
21
Duplicate TCP SYN from outside:194.80.130.XX/46973 to outside:78.24.112.XX/21 with different initial sequence number
I am not sure why I am getting duplicate SYN attacks. I have similar servers in the DMZ that do the same thing and they seem to be working fine. I am pretty sure this is not actually a DOS attack. I also have spoken to the team who manage the server and they have confirmed that the external IP is setup correctly on the server (its not that the external IP does not exist and just loops).
There is also NAT'ing setup on the ASA that NATs the dmz IP to the external IP and vice versa.
I have also noticed that whenever i create a new rule on the outside interface on my ASA it automatically adds the same descripton from another rule on the outside interface. What does this mean? Why could it be copying a description from anothe rule?
Your advice would be much appreciated.Output from packet-tracer to outside address 78.24.112.xx
It seems as though the NAT to the DMZ address is just not working. I have set a NAT rule up "before network object NAT" rule and also set a simple object NAT, but still getting the error.
Phase: 1
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any object csdpr1ft-ext
object-group service DM_INLINE_SERVICE_7
service-object tcp destination eq ssh
service-object ip
service-object tcp destination eq ftp
Additional Information:
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Additional Information:
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 26135657, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: allow -
Protected servers under syn attack!!
The firewall dashboard has a window at the right lower portion of ASDM and it displays Top 10 protected servers under SYN attack. Refer to the attached picture.
In this scenario the server IP 82.214.154.223 seems to be getting SYN attacks from one of my internal network PC. This server 82.214.154.223 does not belong to us, a whois query tells me that the IP originates from Poland with no hostname address.
I should have been seeing attacks only for servers belonging to my network right? Like an attack from Outside public IP towards my Server public IP, or is it that this feature provides two way statistics where it also displays attack originating from my lan towards outside world. From what I see, I feel it displays two way attacks. Correct me if I am wrong.
RegardsHi,
below is the output of the # sh threat-detection rate command. can anyone explain me the vulnerabilities and risks by looking at the figures below. thanks
Average(eps) Current(eps) Trigger Total events
10-min ACL drop: 1 0 0 672
1-hour ACL drop: 1 0 0 4654
10-min SYN attck: 0 0 0 386
1-hour SYN attck: 0 0 0 3428
10-min Scanning: 2 1 55503 1248
1-hour Scanning: 2 2 18455 9177
10-min Bad pkts: 0 0 0 184
1-hour Bad pkts: 0 0 0 1089
10-min Firewall: 1 0 0 862
1-hour Firewall: 1 1 0 5749
10-min DoS attck: 0 0 0 6
1-hour DoS attck: 0 0 0 6
10-min Interface: 1 0 0 1034
1-hour Interface: 1 1 0 6616
regards,
AAMIR -
ASA5505, SYN attack, ISP and IPS module
Our 5505 is currently being hit by a SYN attack from surprise, surprise, China. The attack easily brings down the 5505 by hitting the 10,000 connection limit of the box. I am currently using the shun command to try to mitigate the problem but it is not much help. It converts the 10,000 connections into 12-15k dropped packets per second which doesn't crash the box but pretty much makes it unusable.
I have seen some examples on using service policies to set connection and embryonic limits but I don't think they will work for me because the attacks come from several IPs and use several different ports. The attacks don't seem to be pinpointing any particular server or service. Seems like just basic DoS of our service. Besides, the feedback from people who have tried this doesn't seem too convincing.
So I have two questions:
1) My ISP is unwilling and/or unable to do anything. They suggest I email the abuse mailbox from the offending ISP. Just for grins, I did send an email and it promptly came back marked "mailbox full" which is quite funny I thought.
2) Will adding the IPS module help here? I am hoping that the processing of the dropped packets would move to the module and leave the main processor of the ASA free to do its usual NAT and firewall functions.
Any and all advice is welcome.
Thanks,
DiegoHi Diego,
As Julio mentioned, info has to be there. Do you have the 'show xlate' when the issue was seen? In such cases, along with xlate table, you can check connection for hosts making unusual number of connections (show connection count/show connection all). Here are few useful commands in such scenarios:
show local-host connection udp 100-10000 << Gives host with total UDP connections b/w 100-1000
show local-host connection tcp 100-10000 << Same info for hosts making TCP connections
show local-host connection embryonic 100-10000 << hosts with 100-1000 embryonic connections
Change the range as per need.
Sourav -
SNMP - Scan and Syn Attack OIDs
Hello support community,
Im looking for snmp oids for scan and syn attack, im trying to build a graph with cacti that would represent a historical with DOS and scan attacks. I have looked MIB and i dont see anything jumping at me about these OIDs. Can you please help me on finding these?
Thanks,
DelmiroI opened a casa with TAC, and they stated that these oids are not supported. I thought i would post my findings here incase anyone else was looking for them.
-
Hi All,
I have router and inside interface is connected to firewall.
Last week i had attack one of my internal server and i also loosing connectivity to inside interface of the firewall.
But today suddenly internet was down when checked link was up but i also not able to ping to router inerface.
When checked in firewall there was a log indicating SYN attack but source and destination ip was not mentioned.
Can anybody suggest.Prevent the attack itself ?
No
Mitigate the impact on services ?
to some extent yes. read the link below
The agressor can always oversaturate your internetlink.
It is just a numbers game, a SYN packet size is X your link has size Y and can traverse Z packets per second.
Then the agressor just needs to send enough syn packets through to eat up the resources of Y or Z wichever comes first.
However that is not the normal way of using syn attacks since there are faster ways to oversaturate the link.
the normal way of using syn attacks is to steal resources away from the server that is under attack by not establishing a full tcp connection.
This is mitigated in the firewall who sits inbetween the agressor and the server and answers the Syn packets and only lets through the ones that are legit.
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html
Good luck
HTH -
DOS Attack Behavior and CSS11506
Some Security Guy decided this morning to make a full scan for any exploits using Nessus the *NIX tool.
After he reached our two CSS11506 the both deny http, ftp or ssh sessions. The Content Redirection is still working allthough some user report it being slower than usual. Using the serial console connection i can still access the CLI.
Q: Is the behavior of not accesible services like ftp,ssh,http,etc. the cause of an successful exploit or is this a "shutdown" by design.
If this is a design behavior, can i resume the previous behavior with a command in config or priviledged mode? My current option is only a restart of both CSS.
Log from today:
MAY 3 11:05:51 1/1 1494 NETMAN-4: Did not receive identification string from <Source IP>
MAY 3 11:05:51 1/1 1495 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs.
MAY 3 11:05:51 1/1 1496 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs.
MAY 3 11:05:51 1/1 1497 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs. GET / HTTP/
1.0
MAY 3 11:06:02 1/1 1498 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs. SSH-9.9-Nes
susSSH_1.0
MAY 3 11:07:33 1/1 1509 NETMAN-0: Read from socket failed: errno = 0x36
MAY 3 11:09:22 1/1 1510 NETMAN-4: Did not receive identification string from <Source IP>
MAY 3 11:17:05 1/1 1511 NETMAN-0: Couldn't obtain random bytes (error 604389476)
MAY 3 11:17:05 1/1 1512 NETMAN-0: key_free: bad key type -1899582736
MAY 3 11:17:05 1/1 1513 NETMAN-4: Did not receive identification string from <Source IP>Too bad regarding the design issue, that means i have to restart both CSS.
When i last checked the VIP Adresses and show summary everything was looking normal. The two css are still running with bugged ssh/http service but content redirection is still working fine. That is at least the most important thing about it.
The "attack" was only this morning so everything is okay by now. But before rebooting the machines i wanted to verify if this was on purpose or like it seems to be an DOS Exploit in some way.
Regarding the Update i will check that out tomorrow. If you would like some special information for debugging purpose just let me know before i will restart the machines.
Thanks for the Feedback,
Roble -
I have 2 CSS 11052 making server load balancing at layer 3 (with four web servers). I have a VIP addr to talk with clients and 2 FW1 "next generation) in Win200 servers between the CSS and the clients. My clients have some problems in the the establish of the session (http or https). When the session are established they work well.
With a sniffer near the client i saw the client send 2, 3, or more "syn" till they have the "synack" and the session are established.
With a sniffer between the CSS and the web servers i saw the "syn's" that are sent by the client and i saw "synack" for every "syn" till the session are established.
Where are the "synack" sent by the web servers?
Any idea?The servers are connected to a 3524XL switch.
The CSS is the default gateway to the servers.
The server can bypass the CSS if we change the gateway, because the firewalls are in the same network.
I don´t have any ACL in the CSS
The services are alive.
I can ping the VIP.
CONFIG:
CSS-1A# version
Version: ap0500033 (5.00 Build 33)
Flash (Locked): 5.00 Build 33
Flash (Operational): 5.00 Build 33
Type: PRIMARY
Licensed Cmd Set(s): Standard Feature Set
SSH Server
CSS-1A# sh boot
!************************ BOOT CONFIG ************************
ip address 192.168.7.242
subnet mask 255.255.255.0
primary boot-file ap0500033
primary boot-type boot-via-disk
CSS-1A# sh run
!Generated on 02/26/2003 19:32:32
!Active version: ap0500033
configure
!*************************** GLOBAL ***************************
ip redundancy
no restrict web-mgmt
no restrict xml
restrict ftp
restrict telnet
restrict user-database
restrict snmp
app session 192.168.100.2
app
ip route 0.0.0.0 0.0.0.0 192.168.1.254 1
!************************* INTERFACE *************************
interface e1
phy 100Mbits-FD
bridge vlan 3
description "HeartBeat"
interface e2
phy 100Mbits-FD
bridge vlan 2
redundancy-phy
description "UP-Link to FW01N1 via Switch-3A"
interface e3
phy 100Mbits-FD
bridge vlan 2
interface e4
phy 100Mbits-FD
bridge vlan 2
interface e5
phy 100Mbits-FD
bridge vlan 2
interface e6
phy 100Mbits-FD
bridge vlan 2
interface e7
phy 100Mbits-FD
bridge vlan 2
interface e8
phy 100Mbits-FD
bridge vlan 4
!************************** CIRCUIT **************************
circuit VLAN3
ip address 192.168.100.1 255.255.255.0
redundancy-protocol
circuit VLAN2
redundancy
ip address 192.168.1.250 255.255.255.0
circuit VLAN4
ip address 10.6.1.60 255.255.255.128
!************************** SERVICE **************************
service WEB01_HTTP
ip address 192.168.1.31
keepalive type tcp
keepalive port 80
keepalive frequency 15
keepalive maxfailure 2
active
service WEB01_HTTP&HTTPS
ip address 192.168.1.31
keepalive frequency 15
keepalive maxfailure 2
active
service WEB01_HTTPHEADwebinfo
ip address 192.168.1.31
keepalive type script ap-kal-httplist "192.168.1.31 /webinfo.asp"
keepalive frequency 15
keepalive maxfailure 2
active
service WEB01_HTTPS
ip address 192.168.1.31
keepalive type tcp
keepalive port 443
keepalive frequency 15
keepalive maxfailure 2
active
service WEB02_HTTP
ip address 192.168.1.32
keepalive type tcp
keepalive port 80
keepalive frequency 15
keepalive maxfailure 2
active
service WEB02_HTTP&HTTPS
ip address 192.168.1.32
keepalive frequency 15
keepalive maxfailure 2
active
service WEB02_HTTPHEADwebinfo
ip address 192.168.1.32
keepalive type script ap-kal-httplist "192.168.1.32 /webinfo.asp"
keepalive frequency 15
keepalive maxfailure 2
active
service WEB02_HTTPS
ip address 192.168.1.32
keepalive type tcp
keepalive port 443
keepalive frequency 15
keepalive maxfailure 2
active
service WEB03_HTTP
ip address 192.168.1.33
keepalive type tcp
keepalive port 80
keepalive frequency 15
keepalive maxfailure 2
active
service WEB03_HTTP&HTTPS
ip address 192.168.1.33
keepalive frequency 15
keepalive maxfailure 2
active
service WEB03_HTTPHEADwebinfo
ip address 192.168.1.33
keepalive type script ap-kal-httplist "192.168.1.33 /webinfo.asp"
keepalive frequency 15
keepalive maxfailure 2
active
service WEB03_HTTPS
ip address 192.168.1.33
keepalive type tcp
keepalive port 443
keepalive frequency 15
keepalive maxfailure 2
active
service WEB04_HTTP
ip address 192.168.1.34
keepalive type tcp
keepalive port 80
keepalive frequency 15
keepalive maxfailure 2
active
service WEB04_HTTP&HTTPS
ip address 192.168.1.34
keepalive frequency 15
keepalive maxfailure 2
keepalive type script ap-kal-dcheck "192.168.1.34"
active
service WEB04_HTTPHEADwebinfo
ip address 192.168.1.34
keepalive type script ap-kal-httplist "192.168.1.34 /webinfo.asp"
keepalive frequency 15
keepalive maxfailure 2
active
service WEB04_HTTPS
ip address 192.168.1.34
keepalive type tcp
keepalive port 443
keepalive frequency 15
keepalive maxfailure 2
active
!*************************** OWNER ***************************
owner www.cidadebcp.pt
content Rule_HTTP
vip address 192.168.1.100
protocol tcp
port 80
advanced-balance sticky-srcip
add service WEB01_HTTP&HTTPS
add service WEB02_HTTP&HTTPS
add service WEB03_HTTP&HTTPS
add service WEB04_HTTP&HTTPS
active
content Rule_HTTPS
vip address 192.168.1.100
protocol tcp
port 443
advanced-balance sticky-srcip
add service WEB02_HTTP&HTTPS
add service WEB01_HTTP&HTTPS
add service WEB03_HTTP&HTTPS
add service WEB04_HTTP&HTTPS
active
SHOW SUMMARY
CSS-1A# sh summ
Global Bypass Counters:
No Rule Bypass Count: 1406999
Acl Bypass Count: 0
Owner Content Rules State Services Service Hits
www.?????????.pt Rule_HTTP Active WEB01_HTTP&HTTPS 23851961
WEB02_HTTP&HTTPS 23432601
WEB03_HTTP&HTTPS 25224983
WEB04_HTTP&HTTPS 20882126
Rule_HTTPS Active WEB01_HTTP&HTTPS 34624556
WEB02_HTTP&HTTPS 32311666
WEB03_HTTP&HTTPS 33279661
WEB04_HTTP&HTTPS 30738365
SHOW SERV SUMMARY
CSS-1A# show serv summ
Service not found
I hope that this information is enough to you.
If you want i can send you the same information by mail. Tell me if necessary. -
I am getting an alert from 2 of my servers. The alert is worded as such: [ID 995438 kern.warning] WARNING: High TCP connect timeout rate! System (port 25) may be under a SYN flood attack!
My system is Version 5.9 patch level Sun Generic_122300-38
I have found other postings with this very issue, but they're pertaining to version 5.10. They refer to patch 11999-03, which is now obsolete, however, this patch will not work for my system.
Can someone help point me in the right direction to the patch that will work for my system?Solaris by default is not tuned particularly well for handling large numbers of tcp connections.
So if the servers are busy, that could easily trigger these messages.
Try putting the following into a startup script to adjust the tuning.
I have found it helpfull on our high activity web/proxy servers.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 8192
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 2048 -
Half-open SYN Attack 3050.0
Is there a trick to getting the signature 3050 ?half open syn flood? to produce an alert?
The Cisco Intrusion Prevention System is on version 5.1(1p1) S229.0.
We have tuned the signature to alert at 2048 half open connections.
syn-flood-max-embrionic: 2048 default: 5000
A ?show statistics virtual-sensor? shows that
TCP streams currently in the embryonic state = 2871?
but still no alert appears on the console.
The signature use the normalizer engine and the event-action is set to ?produce-alert?
Any help regarding this would be appreciated.What type of sensor are using?
On the ASA-SSM-10 and ASA-SSM-20, the normalizer signatures will not be triggered (including the Syn Flood signature).
The ASA-SSMs relie on the TCP Normalization features of the ASA itself to monitor for TCP anomalies including SYN Floods.
For other sensors realize that the SYN Flood signature is tracked on a per server and per port basis. So with a 2048 setting there must be 2048 embryonic connections to a specific port on a specific server IP.
The 2871 number you are seeing in the statistic is for ALL embryonic connections to ALL ports on ALL server IPs. If this is a deployed sensor it is unlikely that all 2871 embryonic connections from the statistics are to the same server IP/port. -
Hi,
On my CSS 11506, logs are full of these kind of error messages:
"NETMAN-5: Enterprise:DOS Attack:Illegal Src -> 5 times". It also generates a trap every seconds, flooding our syslogd and trapd server.
The first information one would obviously require is which IP address, and on which interface, is causing this error message.
I had a look at the "sh dos" command and I can see the counter for "Illegal Src Attacks" increasing (quite logical), BUT then in the detailed events, I can't see any of these events, I only see few SYN Attacks detailed events.
So does anyone know where I can get the details for these "Illegal Src Attacks" events ?
Many Thanks for any help,
Regards,
ArnoHi to all,
i desperate need your help.
I got a very similar problem with CSS.
Same DoS attack. (many Syn Attack visible in the "show dos" detailed command and many Src Attack but only in the counters)
The strange thing is that the ip address involved are unicast ip (not multicast).
I've not understand many things.
The first is , what's the reason why CSS see that 10.6.27.133 is an Illegal Src??? (It's in this case the .133 is the ip address of interface 6/9 of CSS)
OS Attack Event 1:
First Attack: 31/08/2010 22:52:24
Last Attack: 31/08/2010 22:52:34
Source Address: 10.6.27.133 Destination Address: 10.6.84.69
Event Type: Illegal Src Total Attacks: 3
Someone can help me to understand?
Below is the "show dos" with one event as an example
Total Attacks: 33170637
SYN Attacks: 14,843,912 Maximum per second: 284
LAND Attacks: 0 Maximum per second: 0
Zero Port Attacks: 0 Maximum per second: 0
Illegal Src Attacks: 18,325,982 Maximum per second: 224
Illegal Dst Attacks: 743 Maximum per second: 4
Smurf Attacks: 0 Maximum per second: 0
DOS Attack Event 12:
First Attack: 31/08/2010 22:18:34
Last Attack: 31/08/2010 22:31:26
Source Address: 10.6.67.167 Destination Address: 113.213.43.145
Where do you suggest to investigate??
Many thanks,
M.G. -
Getting logs for DOS Attack:Sync Attack on cisco CSS 11501 frequently.
Hi ,
Since couple of weeks , i am getting below DOS attack logs on cisco CSS.Can anyone help me out about how can we avoid this? and how to deal with it.
04/23/2011 17:27:28:Enterprise:DOS Attack:SYN Attack -> 10 times
04/23/2011 17:30:15:Enterprise:DOS Attack:SYN Attack -> 10 times
04/24/2011 11:20:32:Enterprise:DOS Attack:SYN Attack -> 11 times
04/24/2011 11:24:48:Enterprise:DOS Attack:SYN Attack -> 12 times
04/24/2011 15:30:42:Enterprise:DOS Attack:SYN Attack -> 10 times
Thanks
ManishHi Nicolas,
Why i am asking about DOS attack as i am facing some issues for the 2 VIPs configured in cisco CSS 11501.
Can you help me troubleshooting the issue?
I have coming across some Load Balancing issues for the 2 VIPS configured on Cisco CSS11501.
We have cisco CSS 11501. We have 2 VIPs configured on it for FE and BE servers.Now Client calls to FE VIP and LB forwarding it to server and then FE server calls the BE VIP which goes through the same LB and forward to BE server under the VIP.When we start load test, we have observed after 2 hour test, application team getting HTTP timeout.As this application is used by Call center so getting timeout is bad.
Need to troubleshoot this issue if there is any problem from LB End.
Please find the attached file for VIP configs.
Maybe you are looking for
-
I have searched the archives and found several instances of this problem but no replies. Can anyone please tell me why I get this error every time Itunes opens and I have to hit cancel 3-4 times before it leaves me alone. I know in the Windows 98 wor
-
Import filter for Pagemaker does not support non-english charcters in references
Hi all, we found that when importing from Pagemaker, all referenced images that contain non-english charcters (such as German umlauts) in their file names are lost. Apart from this, the direct import works quite well for us, therefore we would like t
-
Are there any updates for CS6 for retina display?
Just purchased CS6 and everything is fuzzy. Can't find any info about it.
-
Hi all , AM INTO S &D. well i have configured STO btvn 2plants with in same co code. well the purchase order(me21n) is saved with no errors and in ME23 the quantity ,receving & supplying plant details are projected. CONFIGURATION : ASSIGN D
-
I have installed Oracle XE which supposedly also install APEX. In the configuration steps I specified port 8080 as it's port of operation, however I am unable to access APEX at all. I have checked firewalls as well. I would like to know where I can l