CSS wrongly reports SYN attacks

Similar Messages

• CSS false syn attack behavior

  Hi all,
  We are having an issue with our CSS11501,version sg0810106.
  our web app is using alot of web requests (up to one every 15 seconds )
  for some reason occasionally our session is being dropped, and we can't connect for few minutes.
  i just found out that the source ip address of the client is showed as a source for "syn attack" when i issue "show dos".
  does the CSS block my legitimate traffic as suspected syn attack?
  if so how can i work around it?
  why does it pick it as syn attack how can i improve its false detection?
  Can anyone help me with this?
  thanks,
  Lior

  Thanks Gilles,
  Indeed the CSS doesn't block anything (I wish it would have been more explicit in the documents, except writing that the dos feature cannot be disabled).
  However It was a problem that caused by the CSS and I write this here just in case someone else will encounter the same.
  I use CSS for many years now, but this is the first time that i used it on a very connection intensive application and in such an envirounment, and this is why the issue became a visible problem.
  CSS and ASA was connected on the same network, with the CSS interface configured as a default gateway on the hosts.
  However the CSS sends ICMP redirects packets to the hosts injecting a "better" route to different external IP addresses using the ASA interface IP address. That cause connections from different IP addresses to be blocked for a period of 10 minutes (default time that an ICMP redirect injected route will stay in the routing table of windows server2003) because the routing table on the host has a "better" route which is not the CSS's interface.
  Together with the fact that I was using sticky session content rule based on sticky-srcip, that caused an outage for 10 minutes for different IP addresses on a regular basis.
  I have sorted it out by disabling icmp Redirect on the windows hosts registry:
  "\\HKLM\system\CurrentControlSet\Services\Tcpip\Parameters\"
  change EnableICMPRedirect to "0" by default its "1"
  reboot the hosts, and you will see an immediate drop in syn attack indications on the CSS, hinting that the problem has been solved.
  I read somewhere that there's an option to disable ICMP redirect packets from the CSS as well, but the other trick did that for me.
  Thanks again gilles for your enlightment
  Regards,
  Lior

• CSS 11050 SYN Attacks and auto-reboot

  Running software version 5.00 build 2 to load balance two web servers. The DOS log shows SYN attack activity--with one incident logging 62 "attacks". I read that if this value reaches a threshold, then the machine will reboot. Can someone tell me what the guidelines are for this? Are there any other events that can cause the switch to auto reboot? Thanks!

  First, you should definitely upgrade.
  5.0(2) is VERY VERY OLD.
  Next, a box never reload by itself on purpose or because it reached a certain threshold.
  If there is an auto-reboot, this means the box crash and this is not normal.
  Gilles.

• CSS DoS illegal Src Attack

  Hi,
  On my CSS 11506, logs are full of these kind of error messages:
  "NETMAN-5: Enterprise:DOS Attack:Illegal Src -> 5 times". It also generates a trap every seconds, flooding our syslogd and trapd server.
  The first information one would obviously require is which IP address, and on which interface, is causing this error message.
  I had a look at the "sh dos" command and I can see the counter for "Illegal Src Attacks" increasing (quite logical), BUT then in the detailed events, I can't see any of these events, I only see few SYN Attacks detailed events.
  So does anyone know where I can get the details for these "Illegal Src Attacks" events ?
  Many Thanks for any help,
  Regards,
  Arno

  Hi to all,
  i desperate need your help.
  I got a very similar problem with CSS.
  Same DoS attack. (many Syn Attack visible in the "show dos" detailed command and many Src Attack but only in the counters)
  The strange thing is that the ip address involved are unicast ip (not multicast).
  I've not understand many things.
  The first is , what's the reason why CSS see that 10.6.27.133 is an Illegal Src??? (It's in this case the .133 is the ip address of interface 6/9 of CSS)
  OS Attack Event  1:
  First Attack: 31/08/2010 22:52:24
  Last Attack:  31/08/2010 22:52:34
  Source Address:             10.6.27.133 Destination Address:         10.6.84.69
  Event Type:                 Illegal Src Total Attacks:                        3
  Someone can help me to understand?
  Below is the "show dos" with one event as an example
  Total Attacks: 33170637
  SYN Attacks:                 14,843,912 Maximum per second:                 284
  LAND Attacks:                         0 Maximum per second:                   0
  Zero Port Attacks:                    0 Maximum per second:                   0
  Illegal Src Attacks:         18,325,982 Maximum per second:                 224
  Illegal Dst Attacks:                743 Maximum per second:                   4
  Smurf Attacks:                        0 Maximum per second:                   0
  DOS Attack Event 12:
  First Attack: 31/08/2010 22:18:34
  Last Attack:  31/08/2010 22:31:26
  Source Address:             10.6.67.167 Destination Address:     113.213.43.145
  Where do you suggest to investigate??
  Many thanks,
  M.G.

• Protected servers under syn attack!!

  The firewall dashboard has a window at the right lower portion of ASDM and it displays Top 10 protected servers under SYN attack.  Refer to the attached picture.
  In this scenario the server IP 82.214.154.223 seems to be getting SYN attacks from one of my internal network PC. This server 82.214.154.223 does not belong to us, a whois query tells me that the IP originates from Poland with no hostname address.
  I should have been seeing attacks only for servers belonging to my network right? Like an attack from Outside public IP towards my Server public IP, or is it that this feature provides two way statistics where it also displays attack originating from my lan towards outside world. From what I see, I feel it displays two way attacks. Correct me if I am wrong.
  Regards

  Hi,
  below is the output of the # sh threat-detection rate command. can anyone explain me the vulnerabilities and risks by looking at the figures below. thanks
                            Average(eps)    Current(eps) Trigger      Total events
    10-min ACL  drop:                  1               0       0               672
    1-hour ACL  drop:                  1               0       0              4654
    10-min SYN attck:                  0               0       0               386
    1-hour SYN attck:                  0               0       0              3428
    10-min  Scanning:                  2               1   55503              1248
    1-hour  Scanning:                  2               2   18455              9177
    10-min Bad  pkts:                  0               0       0               184
    1-hour Bad  pkts:                  0               0       0              1089
    10-min  Firewall:                  1               0       0               862
    1-hour  Firewall:                  1               1       0              5749
    10-min DoS attck:                  0               0       0                 6
    1-hour DoS attck:                  0               0       0                 6
    10-min Interface:                  1               0       0              1034
    1-hour Interface:                  1               1       0              6616
  regards,
  AAMIR

• Forefront TMG detected a possible SYN attack and will protect the network accordingly

  Hi ,  Some times here internet is not working for using through TMG 2010. but Local Host Internet is working. then it should restart the 
  Microsoft Forefront TMG Control with related Services. then again users can access the Internet  through TMG.
  I check the Event Viewer in Server. it shows below Error Log.
  Forefront TMG detected a possible SYN attack and will protect the network accordingly
  what should for this ?
  Regards, COMDINI

  Hello,
  An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server and not completing the TCP handshake, leaving the TCP connections half-open.
  Please enable logging to identified this hosts and then check if it is infected by viruses or malware programs.
  Please see the value of the number of Maximum half-open TCP connections in Flood Mitigation settings for more information.
  Once your problem is solved, you have to see "Forefront TMG is no longer experiencing a SYN attack." message.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Microsoft Student Partner 2010
  / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator:
  Security
  Microsoft Certified Systems Engineer:
  Security
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows 7, Configuring
  Microsoft Certified IT Professional: Enterprise
  Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• Duplicate SYN attacks from Outside to Outside

  Hi Everyone,
  We have an FTP server that sits in our DMZ.  This Server has a DMZ interface and an external interface.  When trying to access the server from the internet on its external address i am getting alot of Duplicate SYN attacks.  They seem to be coming all from the same source and port to the same destination and port.
  As part of the testing i first took out any references to the FTP server in my Access rules on the ASA.  I then tried to FTP to the server from an outside internet connection and as expected get the following in the log:
  4
  Mar 01 2013
  10:23:18
  194.80.130.xx
  46867
  78.24.112.XX
  21
  Deny tcp src outside:194.80.130.XX/46867 dst outside:78.24.112.XX/21 by access-group "outside_access_in" [0x0, 0x0]
  I then highlighted this entry and created an access rule for it (but changed the source port to any rather than a specific one).  When i then try and FTP to the server i get lots of SYN attacks which says the following:
  4
  Mar 01 2013
  10:27:29
  194.80.130.XX
  46973
  78.24.112.XX
  21
  Duplicate TCP SYN from outside:194.80.130.XX/46973 to outside:78.24.112.XX/21 with different initial sequence number
  I am not sure why I am getting duplicate SYN attacks.  I have similar servers in the DMZ that do the same thing and they seem to be working fine.  I am pretty sure this is not actually a DOS attack.  I also have spoken to the team who manage the server and they have confirmed that the external IP is setup correctly on the server (its not that the external IP does not exist and just loops).
  There is also NAT'ing setup on the ASA that NATs the dmz IP to the external IP and vice versa.
  I have also noticed that whenever i create a new rule on the outside interface on my ASA it automatically adds the same descripton from another rule on the outside interface.  What does this mean?  Why could it be copying a description from anothe rule?
  Your advice would be much appreciated.

  Output from packet-tracer to outside address 78.24.112.xx 
  It seems as though the NAT to the DMZ address is just not working.  I have set a NAT rule up "before network object NAT" rule and also set a simple object NAT, but still getting the error.
  Phase: 1
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_in in interface outside
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any object csdpr1ft-ext
  object-group service DM_INLINE_SERVICE_7
  service-object tcp destination eq ssh
  service-object ip
  service-object tcp destination eq ftp
  Additional Information:
  Phase: 2
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 3
  Type: INSPECT
  Subtype: inspect-ftp
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect ftp
  service-policy global_policy global
  Additional Information:
  Phase: 4
  Type: FOVER
  Subtype: standby-update
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 26135657, packet dispatched to next module
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  Action: allow

• ASA5505, SYN attack, ISP and IPS module

  Our 5505 is currently being hit by a SYN attack from surprise, surprise, China.  The attack easily brings down the 5505 by hitting the 10,000 connection limit of the box.  I am currently using the shun command to try to mitigate the problem but it is not much help.  It converts the 10,000 connections into 12-15k dropped packets per second which doesn't crash the box but pretty much makes it unusable. 
  I have seen some examples on using service policies to set connection and embryonic limits but I don't think they will work for me because the attacks come from several IPs and use several different ports.  The attacks don't seem to be pinpointing any particular server or service.  Seems like just basic DoS of our service.  Besides, the feedback from people who have tried this doesn't seem too convincing.
  So I have two questions:
  1) My ISP is unwilling and/or unable to do anything.  They suggest I email the abuse mailbox from the offending ISP.  Just for grins, I did send an email and it promptly came back marked "mailbox full" which is quite funny I thought.
  2) Will adding the IPS module help here?  I am hoping that the processing of the dropped packets would move to the module and leave the main processor of the ASA free to do its usual NAT and firewall functions.
  Any and all advice is welcome.
  Thanks,
  Diego

  Hi Diego,
  As Julio mentioned, info has to be there. Do you have the 'show xlate' when the issue was seen? In such cases, along with xlate table, you can check connection for hosts making unusual number of connections (show connection count/show connection all). Here are few useful commands in such scenarios:
  show local-host connection udp 100-10000          << Gives host with total UDP connections b/w 100-1000
  show local-host connection tcp 100-10000          << Same info for hosts making TCP connections
  show local-host connection embryonic 100-10000    << hosts with 100-1000 embryonic connections
  Change the range as per need.
  Sourav

• SNMP - Scan and Syn Attack OIDs

  Hello support community,
  Im looking for snmp oids for scan and syn attack, im trying to build a graph with cacti that would represent a historical with DOS and scan attacks. I have looked MIB and i dont see anything jumping at me about these OIDs. Can you please help me on finding these?
  Thanks,
  Delmiro

  I opened a casa with TAC, and they stated that these oids are not supported. I thought i would post my findings here incase anyone else was looking for them.

• SYN attack

  Hi All,
  I have router and inside interface is connected to firewall.
  Last week i had attack one of my internal server  and i also loosing connectivity to inside interface of the firewall.
  But today suddenly internet was down when checked link was up but i  also not able to ping to router inerface.
  When checked in firewall there was a log indicating SYN attack but source and destination ip was not mentioned.
  Can anybody suggest.

  Prevent the attack itself ?
  No
  Mitigate the impact on services ?
  to some extent yes. read the link below
  The agressor can always oversaturate your internetlink.
  It is just a numbers game, a SYN packet size is X your link has size Y and can traverse Z packets per second.
  Then the agressor just needs to send enough syn packets through to eat up the resources of Y or Z wichever comes first.
  However that is not the normal way of using syn attacks since there are faster ways to oversaturate the link.
  the normal way of using syn attacks is to steal resources away from the server that is under attack by not establishing a full tcp connection.
  This is mitigated in the firewall who sits inbetween the agressor and the server and answers the Syn packets and only lets through the ones that are legit.
  http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html
  Good luck
  HTH

• S_ALR_87012357 / S_ALR_87012356-Wrong reporting of tax amounts on the tax reports.

  Hi,
  S_ALR_87012357 / S_ALR_87012356
  Tax amount for tax codes V9, VP and VT are calculated and
  displayed correctly in FI reporting but they are reported at a higher amount in
  the tax reports run by transactions S_ALR_87012357 / S_ALR_87012356.
  Since its a standard report , I would expect there would  be a way of correcting this wrong tax amount showing this report .
  Is there any SAP note regarding this error ?
  Appreciate your help and advise..
  Kind Regards
  Thiru

  Hi Srikanth ,
  As you mentioned it is showing the difference ...
  Please find attached screenshot ...
  Is there a way to correct this ? since its creating an issue& confusing from Finance/Accounting point of view...
  Kind regards
  Siva..

• CSS Style (report column attributes) not working

  I found the CSS Style settings for a report column only seem to work if using a "Standard Report Column". Since the report is wider than the screen, some columns are wrapping, making the report not-that-nice readable.
  Unfortunately I have the need to define some report columns where undesired wrapping occurs as "Display as Text (based on LOV, does not save state)" and tried to avoid wrapping using "white-space:nowrap;" or specifying a fixed width, but it seems I'm out of luck - is there a way around this (other than performing the report query using a huge DECODE clause and setting the column to "Standard Report Column" again, which somewhat renders the LOV useless except for the select list on the data entry form)? This is happening on APEX 3.12.
  Furthermore - is this expected behaviour?
  Thanks in advance,
  Holger

  Furthermore - is this expected behaviour?Looks like it, or it is a [long-standing bug|http://forums.oracle.com/forums/thread.jspa?messageID=1126613]. I've tried it (although only have access to APEX 3.0 at present) and none of the CSS class/style/custom attributes from Column Formatting or Tabular Form Element are being applied. If it's not a bug then it should be raised as an enhancement request.
  In the meantime you'll need to work round it.
  other than performing the report query using a huge DECODE clause Is that necessary due to a static LOV? If it's dynamic based on a table/view then get the look-up value in the query via a join or scalar subquery so you have a Standard Report Column and can use the CSS class/style/custom attributes from Column Formatting.
  Alternatively, stick with the Display as Text from LOV and create a custom named column report template using [colgroup/col|http://reference.sitepoint.com/html/colgroup] to specify fixed width columns.

• Possible SYN Attack

  I am getting an alert from 2 of my servers. The alert is worded as such: [ID 995438 kern.warning] WARNING: High TCP connect timeout rate! System (port 25) may be under a SYN flood attack!
  My system is Version 5.9 patch level Sun Generic_122300-38
  I have found other postings with this very issue, but they're pertaining to version 5.10. They refer to patch 11999-03, which is now obsolete, however, this patch will not work for my system.
  Can someone help point me in the right direction to the patch that will work for my system?

  Solaris by default is not tuned particularly well for handling large numbers of tcp connections.
  So if the servers are busy, that could easily trigger these messages.
  Try putting the following into a startup script to adjust the tuning.
  I have found it helpfull on our high activity web/proxy servers.
  /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 8192
  /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 2048

• CSS Load reporting to the GSS via KAL-AP

  Question 1 :
  When load calculation is enabled on the CSS, how does the CSS aggregate individual load values of each real service for transmission to the GSS ?
  Question 2:
  If we use the use a script on a management server that would gather server load information (typically CPU utilization) and then dynamically set the load value for each service, does the CSS aggregate these load values and transmit the result to the GSS via KAL-AP as well ?
  Thank you
  Yves

  Yves,
  this is the 2nd time you post this question and unfortunately I do not think you will get an answer.
  It's a tough question because the load subject is not very well-known outside Cisco and even internally very few people now exactly how it works.
  If this is really important for you, I would suggest to contact a Sales person at Cisco and ask him to research this information for you.
  Regards,
  Gilles.

• Half-open SYN Attack 3050.0

  Is there a trick to getting the signature 3050 ?half open syn flood? to produce an alert?
  The Cisco Intrusion Prevention System is on version 5.1(1p1) S229.0.
  We have tuned the signature to alert at 2048 half open connections.
  syn-flood-max-embrionic: 2048 default: 5000
  A ?show statistics virtual-sensor? shows that
  TCP streams currently in the embryonic state = 2871?
  but still no alert appears on the console.
  The signature use the normalizer engine and the event-action is set to ?produce-alert?
  Any help regarding this would be appreciated.

  What type of sensor are using?
  On the ASA-SSM-10 and ASA-SSM-20, the normalizer signatures will not be triggered (including the Syn Flood signature).
  The ASA-SSMs relie on the TCP Normalization features of the ASA itself to monitor for TCP anomalies including SYN Floods.
  For other sensors realize that the SYN Flood signature is tracked on a per server and per port basis. So with a 2048 setting there must be 2048 embryonic connections to a specific port on a specific server IP.
  The 2871 number you are seeing in the statistic is for ALL embryonic connections to ALL ports on ALL server IPs. If this is a deployed sensor it is unlikely that all 2871 embryonic connections from the statistics are to the same server IP/port.