DoS attack

Hi!
Our webservice is based on WebLogic stateless session bean sample. As it was
done in the sample, I used to create the connection object like this:
theMyConnect = new MyConnectService(theURI).getMyConnectServicePort();
I create new object for each client call, and I thought that this was OK,
because WebLogic documentation does not say anything about freeing the
connection. In fact, it says that web service is just a wrapper for normal
connection through servlet. Thus, for each call (if they can be
distinguished from each other, of course), server creates new HttpSession
object. Brief analysis of decompiled WebLogic code shows that WebLogic took
some measures to maintain session and to prevent number of connections.
Anyway, what happens in reality if
ConnectService(theURI).getMyConnectServicePort() is called for each web
service call, is that during load test after about 1500 calls WebLogic hangs
with OutOfMemoryException. (-mx200). Application can be restored only by
restarting the server. If this call is done only once at the start of the
application, OutOfMemory does not happen.
I think that Bea might give some recommendations and precautions for
developers about this matter. Also, it would be nice if WebLogic web service
helper classes were revised to ensure that no OutOfMemory would occur. The
reason for this is that B2B calls are not as C2B calls, they may happen in
massive flow, and all data should be maintained properly.
We are still using WL7.0.0.0 GA. Upgrade is not desired right now, but may
be considered if this bug is fixed in 7.0.0.1.
Michael J.

First you have to be aware that the cvpn is kind of a legacy technology and some of the vulnerabilites that IKE has presented in the past might be present on this box, the important part to cover here is to make sure that your box does not have a weak IKE policy enabled which will include DES, MD5 and DH1, if this is an IKE policy that you have enabled then make sure it is disabled since it is easily breakable.
Unfortunately there is no feature on the CVPN that will rate or prevent unknown ike requests but disabling these combinations might help.
As for the study materials you can go ahead and read the users guide for this box.

Similar Messages

Protect against DOS attack on NIO Server

I have a NIO server which recently underwent a DOS attack. The attack was very simply a packet flood in which a rogue engineered client sent a packet request to the system 80,000 times in about 5 seconds.
The packet was successfully ignored in the application code (it just logged it). Logging usually take the IP address but in this case using getInetAddress() on the socket channel returned null every time.
However, as far as future protection goes how could I modify the system to be able to withstand such attacks? Under normal operation the server would establish TCP socket connection with client on a public port. Then client sends login packet and if authorized client can send other request packets to get data and perform user actions (like chatting).
In this attack user did not bother to attempt to login and instead just sent many of the same data request packets over and over, causing the system to use up the thread pool and block other legitimate clients from now connecting. I am not expert in security like this, so what is best practice for making code stand up?
Some general questions I can think of:
- would using SSL help?
- some way to throttle client requests to a certain frequency or byte limit per second?
- should have one port for login and another for data requests after login succeed?
Thanks In Advance.

You can't use SSL with non-blocking NIO unless you want tackle the complexities of the SSLEngine (or use my Scalable SSL product), and in any case I'm not sure it would really help - it would just move the DOS attack into the SSLEngine handling. Separate ports won' t help either as there is nothing to stop the attacker using either of them, or both.
Maybe your best defence is to identify rogue packets as quickly as possible, and drop the entire connection if you get a bad packet (e.g. one where getInetAddress() returns null, although in fact I don't see how that is actually possible). You might proceed from there to logging rogue source addresses and dropping connections from them immediately.
I would also investigate what can be done in the firewall configuration.

DoS attacks in java(urgent)

I am an undergraduate student and currently working on network security project based on denial of service attacks in java. I have established a client/server connection and now want to capture all incoming packets at the receiving end(server) and then monitor them for DoS attack..Is it possible if anybody could help me a little bit in this as soon as possible. I know JPCap class would be a better option but i don't know how to deploy it in my current code..Thanks
Please email me on [email protected]
Regards,
Sameen Khan

Dear Salpeter,
Ok if you think i'm not close to it then u can help
and guide...I have been through several books on DOS
attacks. I know about its theory but don't know how to
code in java.....actually this is my term proj, which
is due in a week or so.......just couldn't do it
although i'm good at simple java but not java in
networking security....if you know any website where i
could get its complete code for help then plz tell
me...thanksWhat have you been doing all term? Due in a week? And you don't know Java? Sounds like you're screwed.
How will your prof feel about you downloading someone else's complete code and turning it in as if it were yours? Where I come from we call that "cheating".

Solution to Prevent the DOS Attack

Hello Experts,
We have our Production Servers placed at ISP DC where we are using Cisco ASA firewall model 5505 and all the servers placed behind the firewall.The bandwidth we have 100 MBPS and there is no IPS device in between.
Since long time, we have been experiencing some network issues and recently we detected the D-DOS attack affecting our Prod Services and now we are looking to have a solution to mitigate the attack.
Can somebody please suggest the solution which must be cheapest in the terms of COST to get this attack stopped?
We contacted to Radware on this but the solution that they are recommending is too expensive.
Can we achieve the solution by implementing the Cisco IPS module/appliance and will it work to prevent the D-DOS attack?
Whatever best solution you can recommend then please suggest and an early response on this would be highly appreciated as we need to have a quick solution.
Thanks.

Hello Ray,
Hope you are doing fine.
Okay the less expensive:
1- Using the MPF on the ASA set the limits for the amount of connections open to a server or the embryonic connections.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075
One a little bit more expensive:
2- Get the IPS module and prevent that by enabling the required signatures.
Side note: I would recommend you talking about this problem with your ISP so you can avoid getting this overload of traffic on your outside interface so bandwith can be used on the right traffic and connections.
Regards,
Julio Carvajal

Solution to Prevent the D-DOS Attack

Hello Experts,
We have our Production Servers placed at ISP DC where we are using Cisco ASA firewall model 5505 and all the servers placed behind the firewall.The bandwidth we have 100 MBPS and there is no IPS device in between.
Since long time, we have been experiencing some network issues and recently we detected the D-DOS attack affecting our Prod Services and now we are looking to have a solution to mitigate the attack.
Can somebody please suggest the solution which must be cheapest in the terms of COST to get this attack stopped?
We contacted to Radware on this but the solution that they are recommending is too expensive.
Can we achieve the solution by implementing the Cisco IPS module/appliance and will it work to prevent the D-DOS attack?
Whatever best solution you can recommend then please suggest and an early response on this would be highly appreciated as we need to have a quick solution.
Thanks.

Ray,
The only real option you have with the 5505 is the Cisco ASA AIP SSC-5 module. It should also help with the DDOS problem you find yourself with. You do need to understand that the 5505's and the AIP SSC-5 are EOL now.
You probably need to consider budgeting for upgrading this equipment in the near future....

Drop outs and - [DoS attack: ACK Scan RST Scan, Teardrop attack....]

Hi all Dropped a little excerpt of my router status log below.Basically the internet keeps dropping out, making streaming a pain in the a##....If anyone could offer advice, suggestions etc, Itd be greatly appreciated.  Our internet was flawless for three days at our new address, no drop outs stable, fair speed. however the last two days all of a sudden we are getting continual drop outs...?? I have done the usual basics, >Checked lines, Replaced and tested Cables, replaced with new filter and tested without filters.>Tested using three different modems (known working), Netcomm, Netgear, Telstra technicolour... All perform the exact same.>Updated modem firmwares, and powercycled all modems.>Factory reset each modem, >We dont have a static ip, so each time it drops there is a new ip, However after a while the DOS rubbish happens again and the internet drops out.)> Tested using PPPOA and PPPOE, might be luck, but pppoe seems better?>Tested using different line noise profiles. No change.Recently I also changed all the Wifi Security options so that only one pc is on the network, in case one pc is causing the drama?? >Now using a netgear DGND3700v2 (like it best lol)
  Connection stats:ADSL LinkDownstreamUpstreamLink Rate5442 Kbps923 KbpsLine Attenuation47.0 dB28.0 dBNoise Margin6.4 dB6.7 dB    Todays Status log:<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[admin login] from source 192.168.0.3 Wednesday, July 15,2015 02:43:09
[DoS attack: ACK Scan] from source: 216.189.219.70:17005 Wednesday, July 15,2015 02:41:30
[DoS attack: ACK Scan] from source: 27.252.96.71:62655 Wednesday, July 15,2015 02:39:23
[DoS attack: ACK Scan] from source: 122.52.119.31:17560 Wednesday, July 15,2015 02:37:55
[DoS attack: RST Scan] from source: 179.184.140.115:16884 Wednesday, July 15,2015 02:30:12
[DoS attack: ACK Scan] from source: 17.132.254.11:5223 Wednesday, July 15,2015 02:29:46
[DoS attack: ACK Scan] from source: 17.132.254.17:5223 Wednesday, July 15,2015 02:29:11
[DoS attack: ACK Scan] from source: 17.132.254.17:5223 Wednesday, July 15,2015 02:28:48
[DoS attack: ACK Scan] from source: 17.132.254.17:5223 Wednesday, July 15,2015 02:28:27
[DoS attack: ACK Scan] from source: 104.16.21.35:443 Wednesday, July 15,2015 02:23:35
[DoS attack: ACK Scan] from source: 104.16.21.35:443 Wednesday, July 15,2015 02:23:04
[DoS attack: RST Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:22:00
[DHCP IP: (192.168.0.2)] to MAC address F0:25:B7:18:BF:90 Wednesday, July 15,2015 02:21:24
[DoS attack: ACK Scan] from source: 60.240.152.126:443 Wednesday, July 15,2015 02:18:07
[DoS attack: ACK Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:16:46
[DoS attack: ACK Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:14:46
[DHCP IP: (192.168.0.3)] to MAC address DC:85E:02:CE:18 Wednesday, July 15,2015 02:14:25
[DoS attack: ACK Scan] from source: 207.46.11.151:443 Wednesday, July 15,2015 02:13:56
[DoS attack: ACK Scan] from source: 173.252.102.16:443 Wednesday, July 15,2015 02:13:33
[DoS attack: ACK Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:12:46
[Time synchronized with NTP server time-g.netgear.com] Wednesday, July 15,2015 02:12:46
[DoS attack: ACK Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:11:45
[DoS attack: ACK Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:11:15
[DoS attack: ACK Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:10:45
[Internet connected] IP address: 123.211.78.198 Wednesday, July 15,2015 02:10:12
[DSL: Up] Wednesday, July 15,2015 02:10:07
[admin login] from source 192.168.0.3 Wednesday, July 15,2015 02:09:49
[UPnP set event:AddPortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:27
[UPnP set eventeletePortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:27
[UPnP set event:AddPortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:27
[UPnP set eventeletePortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:27
[UPnP set event:AddPortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:22
[UPnP set event:AddPortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:22
[UPnP set event:AddPortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:22
[UPnP set event:AddPortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:22
[DHCP IP: (192.168.0.3)] to MAC address DC:85E:02:CE:18 Wednesday, July 15,2015 02:09:22
[DHCP IP: (192.168.0.2)] to MAC address F0:25:B7:18:BF:90 Wednesday, July 15,2015 02:09:14
[Initialized, firmware version: V1.1.00.23_1.00.23 ] Wednesday,   YESTERDAYS: I removed the ADSL password from the modem last night so that it wouldnt connect? If that makes any diference>>>>>>>>>>>>>>Status Log<<<<<<<<<<<<<<<< [UPnP set eventeletePortMapping] from source 192.168.0.4 Tuesday, July 14,2015 12:53:36
[DoS attack: ACK Scan] from source: 181.208.125.20:51345 Tuesday, July 14,2015 12:39:23
[DoS attack: Teardrop Attack] from source: 173.169.23.13:56601 Tuesday, July 14,2015 12:39:08
[DoS attack: Teardrop Attack] from source: 173.169.23.13:56601 Tuesday, July 14,2015 12:39:08
[DoS attack: Teardrop Attack] from source: 77.163.26.201:59976 Tuesday, July 14,2015 12:35:41
[DoS attack: Teardrop Attack] from source: 77.163.26.201:59976 Tuesday, July 14,2015 12:35:41
[DoS attack: Teardrop Attack] from source: 77.163.26.201:59976 Tuesday, July 14,2015 12:35:19
[DoS attack: Teardrop Attack] from source: 77.163.26.201:59976 Tuesday, July 14,2015 12:35:19
[DoS attack: Teardrop Attack] from source: 77.163.26.201:59976 Tuesday, July 14,2015 12:35:17
[DoS attack: ACK Scan] from source: 178.167.254.109:55704 Tuesday, July 14,2015 12:35:16
[DoS attack: ACK Scan] from source: 197.89.134.91:54291 Tuesday, July 14,2015 12:33:14
[DHCP IP: (192.168.0.4)] to MAC address DC:85E:02:CE:18 Tuesday, July 14,2015 12:26:04
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:21:34
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:19:40
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:19:40
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:19:39
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:19:39
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:19:39
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:19:38
[DoS attack: RST Scan] from source: 174.16.237.129:51413 Tuesday, July 14,2015 12:16:09
[UPnP set event:AddPortMapping] from source 192.168.0.4 Tuesday, July 14,2015 12:13:30
[UPnP set event:AddPortMapping] from source 192.168.0.4 Tuesday, July 14,2015 12:13:30
[DHCP IP: (192.168.0.4)] to MAC address DC:85E:02:CE:18 Tuesday, July 14,2015 12:13:24
[DoS attack: ACK Scan] from source: 106.10.198.32:443 Tuesday, July 14,2015 12:11:54
[DoS attack: ACK Scan] from source: 23.53.154.185:443 Tuesday, July 14,2015 12:10:51
[DoS attack: ACK Scan] from source: 23.53.154.185:443 Tuesday, July 14,2015 12:10:20
[DHCP IP: (192.168.0.3)] to MAC address 48:5A:3F:62:F2:E9 Tuesday, July 14,2015 12:09:38
[DHCP IP: (192.168.0.2)] to MAC address F0:25:B7:18:BF:90 Tuesday, July 14,2015 11:54:14
[DoS attack: ACK Scan] from source: 94.23.38.22:25565 Tuesday, July 14,2015 11:52:04
[DoS attack: RST Scan] from source: 54.192.133.206:443 Tuesday, July 14,2015 11:50:57
[DoS attack: ACK Scan] from source: 167.114.0.26:51127 Tuesday, July 14,2015 11:44:05
[DoS attack: RST Scan] from source: 54.192.132.41:443 Tuesday, July 14,2015 11:39:42
[DoS attack: RST Scan] from source: 179.60.193.52:443 Tuesday, July 14,2015 11:36:55
[DoS attack: RST Scan] from source: 54.192.134.28:443 Tuesday, July 14,2015 11:36:27
[DHCP IP: (192.168.0.2)] to MAC address F0:25:B7:18:BF:90 Tuesday, July 14,2015 11:29:31
[DoS attack: ACK Scan] from source: 178.32.34.50:80 Tuesday, July 14,2015 09:04:57
[DoS attack: ACK Scan] from source: 52.68.183.36:5223 Tuesday, July 14,2015 08:53:04
[DoS attack: ACK Scan] from source: 52.68.183.36:5223 Tuesday, July 14,2015 08:52:25
[DoS attack: ACK Scan] from source: 17.132.254.15:5223 Tuesday, July 14,2015 08:38:45
[DoS attack: ACK Scan] from source: 17.132.254.15:5223 Tuesday, July 14,2015 08:38:10
[DoS attack: ACK Scan] from source: 17.132.254.15:5223 Tuesday, July 14,2015 08:37:37
[DoS attack: ACK Scan] from source: 167.114.0.26:51227 Tuesday, July 14,2015 08:22:34
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 08:11:56
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 08:11:33
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 08:04:20
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 08:02:20
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 08:00:19
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 07:58:19
[DoS attack: ACK Scan] from source: 202.108.23.105:5287 Tuesday, July 14,2015 07:56:03
[DoS attack: ACK Scan] from source: 66.135.213.210:443 Tuesday, July 14,2015 07:54:45
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 07:54:21
[Time synchronized with NTP server time-g.netgear.com] Tuesday, July 14,2015 07:54:03
[DoS attack: ACK Scan] from source: 66.135.211.97:443 Tuesday, July 14,2015 07:54:00
[Internet connected] IP address: 121.222.126.130 Tuesday, July 14,2015 07:53:32
[DSL: Up] Tuesday, July 14,2015 07:53:27

We have had same issues over last 3 days and now. We are in Tamborine Village QLD.

Getting logs for DOS Attack:Sync Attack on cisco CSS 11501 frequently.

Hi ,
Since couple of weeks , i am getting below DOS attack logs on cisco CSS.Can anyone help me out about how can we avoid this? and how to deal with it.
04/23/2011 17:27:28:Enterprise:DOS Attack:SYN Attack -> 10 times
04/23/2011 17:30:15:Enterprise:DOS Attack:SYN Attack -> 10 times
04/24/2011 11:20:32:Enterprise:DOS Attack:SYN Attack -> 11 times
04/24/2011 11:24:48:Enterprise:DOS Attack:SYN Attack -> 12 times
04/24/2011 15:30:42:Enterprise:DOS Attack:SYN Attack -> 10 times
Thanks
Manish

Hi Nicolas,
Why i am asking about DOS attack as i am facing some issues for the 2 VIPs configured in cisco CSS 11501.
Can you help me troubleshooting the issue?
I have coming across some Load Balancing issues for the 2 VIPS configured on Cisco CSS11501.
We have cisco CSS 11501. We have 2 VIPs configured on it for FE and BE servers.Now Client calls to FE VIP and LB forwarding it to server and then FE server calls the BE VIP which goes through the same LB and forward to BE server under the VIP.When we start load test, we have observed after 2 hour test, application team getting HTTP timeout.As this application is used by Call center so getting timeout is bad.
Need to troubleshoot this issue if there is any problem from LB End.
Please find the attached file for VIP configs.

Generated some Dos attacks: no correponding IDS event is generated

I installed and configured a Cisco IDS 4250 sensor.
Actually the sniffing interface has been placed on a lan segment residing on the internal network, so, by monitoring IEV logs, I could see lots of events, but all belonging to a few category of signatures, and quite all informational. That's why, In order to generate some more significant network activity to verify correct sensor behaviour, I placed my workstation running a vulnerability assessment tool (ISS Internet Scanner) on the outside vlan (where the sniffing interface resides), and issued several common dos attacks against one workstation residing on one of the inside vlans.
Some example of attacks generated are : SYN flood, Ping of death, UDP bomb, Land, Teardrop. I also generated a lot of tcp scan activity. Using Internet Scanner logs I verified that those attacks reached the destination machine.
The fact is that neither IEV default view nor "sh ev" sensor commands showed any event related to my activity. The only events generated by my workstation during my tests, matched signatures "NET FLOOD UDP" (maybe signame 6910) and signature with sig number 1107 (I don't remember the name). In both cases destination ip is multicast or broadcast address.
I verified that those signatures I was expected to match my attack packets were enabled (I verified so by "sh conf" command), so I don't see any reason why the sensor did not register any event related to the attacks I perpetrated.
Am I missing something ? Have anyone any idea to make me understand why the results are not the ones expected?
Thanks in advance and Regards
Marina

When a user complains that they are only seeing alarms with multicast or broadcast addresses, then this usually points to a sensor connected to a switch where Span has not been configured.
When the sensor is connected to a switch, the switch will normally only send broadcast and multicast (with an occasional unicast) packet to the sensor.
So the sensor is not being sent the packets created by your ISS scanner.
The switch must be configured to copy these packets to your sensor. This switch configuration is normally done through the Span or Monitor command. Check your switch configuration to see how to configure these commands on your switch.
If you are not connecting the sensor to the switch or believe that the Span configuration is correct, then the next step is to run tcpdump on the sensor and verify whether or not the packets are actually being sent to the sensor.
1) In older versions of the sensor you need to configure the sensor to monitor the interface (I think was changed in version 4.1(4) so the interface can still be monitored while tcpdump is used)
2) Create a service account
3) Login to the service account
4) Switch to user root (using same password as service account).
5) Type "ifconfig -a" and determine which interface is your sniffing interface.
6) Run "tcpdump -i " to start seeing packets coming in that interface.
7) Execute the ISS scan.
8) Look through the output of tcpdump to see if those packets are making it to the sensor.
9) If the tcpdump does not see the ISS packets, then either span is misconfigured or the switch is not plugged in where you think it is.
10) If the tcpdump is seeing the packets, then reconfigure the sensor to watch the interface again.
If you have verified that the sensor IS receiving the packets then the next step is to try and generate traffic that triggers specific signatures.
A side note:
Often times scanners can tell you about a vulnerability without actually executing the attack. The scanner checks OS version and patches to see if it is vulnerable, but does not send packets to actually attack the machine. Especially in cases where sending the attack itself would have caused the target machine to crash.
This type of reconaissance is often considered benign and will not trigger the alarm. An actual attack has to be executed against the vulnerability to fire the alarm.
So for your ISS scanner you should see some alarms, but will not likely see alarms for every vulnerability that the ISS notifies you about.

DOS attack affected BIOS ACPI - need DOS BIOS for Satellite P60

Help!!!!
I am looking for the DOS version of the latest BIOS for the Satellite P60(C), but it seems it is not available for any users on any Toshiba site.
I installed the latest (1.9 for windows) but have the feeling that it still was not good enough to stave off attacks, since suddenly it does not want to boot from the hard disk, and even running software from the CD ROM meets up with a "sticky" end. (either BSOD with ACPI invalid information) or it will not even start on the hard drive, but will start on the floppy drive.
So, I am looking for the latest version of the DOS-based BIOS, but they have locked it out on the USA site and do not show it on the Canadian site.
I have repaired a lot of computers, installed BIOS updates.
I do not know what the difference is between the BIOS of the P60E, P60C, P60A, but assume since it is based on the same model parameters it could not be that different.
So, what I am looking for is the BIOS for mine, but will settle with any one of the P60's

Hi
I think you will be not successful finding a traditional BIOS update.
The Toshiba pages provide only the BIOS updates which can be updated from the Windows OS.
> I do not know what the difference is between the BIOS of the P60E, P60C, P60A, but assume since it is based on the same model parameters it could not be that different.
I think the differences are not visible for a common notebook user but it looks like the different A60 notebooks were delivered with different devices like CPUs or GPUs and therefore the BIOS update is not the same.
bye

Stopping DOS Attacks - Methods?

Does anyone have any helpful tips on stopping Denial of
Service attacks. What is mean is this --
If someone sits there in their browser and hits REFRESH 100
times on a page that requires a lot of database interactivity, it
can bring down your server pretty quick. ColdFusion connections sit
in a queue and keep running and running and running.
Is there a way that if someone hits REFRESH on a page, that
it stops the query that is running and starts it again for that
user?
Looking forward to some thoughts on this.
Sincerely,
Ray

rmajoran wrote:
> Does anyone have any helpful tips on stopping Denial of
Service attacks. What
> is mean is this --
>
> If someone sits there in their browser and hits REFRESH
100 times on a page
> that requires a lot of database interactivity, it can
bring down your server
> pretty quick. ColdFusion connections sit in a queue and
keep running and
> running and running.
>
> Is there a way that if someone hits REFRESH on a page,
that it stops the query
> that is running and starts it again for that user?
>
> Looking forward to some thoughts on this.
>
> Sincerely,
> Ray
>
Make use of data and response caching techniques so that the
page does
not need to be completely re-built for each and every
identical request.
Make use of form validation that prevents the resubmitting of
forms.
Make use of web server and|or router techniques that mitigate
DOS type
attacks.

DOS Attack Behavior and CSS11506

Some Security Guy decided this morning to make a full scan for any exploits using Nessus the *NIX tool.
After he reached our two CSS11506 the both deny http, ftp or ssh sessions. The Content Redirection is still working allthough some user report it being slower than usual. Using the serial console connection i can still access the CLI.
Q: Is the behavior of not accesible services like ftp,ssh,http,etc. the cause of an successful exploit or is this a "shutdown" by design.
If this is a design behavior, can i resume the previous behavior with a command in config or priviledged mode? My current option is only a restart of both CSS.
Log from today:
MAY 3 11:05:51 1/1 1494 NETMAN-4: Did not receive identification string from <Source IP>
MAY 3 11:05:51 1/1 1495 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs.
MAY 3 11:05:51 1/1 1496 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs.
MAY 3 11:05:51 1/1 1497 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs. GET / HTTP/
1.0
MAY 3 11:06:02 1/1 1498 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs. SSH-9.9-Nes
susSSH_1.0
MAY 3 11:07:33 1/1 1509 NETMAN-0: Read from socket failed: errno = 0x36
MAY 3 11:09:22 1/1 1510 NETMAN-4: Did not receive identification string from <Source IP>
MAY 3 11:17:05 1/1 1511 NETMAN-0: Couldn't obtain random bytes (error 604389476)
MAY 3 11:17:05 1/1 1512 NETMAN-0: key_free: bad key type -1899582736
MAY 3 11:17:05 1/1 1513 NETMAN-4: Did not receive identification string from <Source IP>

Too bad regarding the design issue, that means i have to restart both CSS.
When i last checked the VIP Adresses and show summary everything was looking normal. The two css are still running with bugged ssh/http service but content redirection is still working fine. That is at least the most important thing about it.
The "attack" was only this morning so everything is okay by now. But before rebooting the machines i wanted to verify if this was on purpose or like it seems to be an DOS Exploit in some way.
Regarding the Update i will check that out tomorrow. If you would like some special information for debugging purpose just let me know before i will restart the machines.
Thanks for the Feedback,
Roble

How do I stop my server from being a DNS open resolver used for DOS attacks

I just received this message:
Dear Charter Business Internet Customer,
Charter Communications has been notified that a DNS server on your network participated in a large-scale network impacting distributed denial-of-service (DDoS) attack. The DNS server is acting as an Open Resolver and requires configuration changes.
We are asking that you take immediate action to update the DNS server(s) on your network, to remediate this issue.
What action do I take to fix this?
OSX Server 10.10.2
Paul

Paul Kleeberg wrote:
I will also block port 53 from the outside.
Once again, thank you all for your assistance. As is obvious, I know just enough to be dangerous.
Paul
It seems odd to me that port 53 is allowing inbound requests - a firewall should be between your server & the internet, you may want to check other services too. The internal server firewall isn't intended to be the only line of defence unless you are experienced in setting it up. NTP or other services can be used in other attacks.
I wonder if this could help… (it scans the open ports at your IP, ignore the styling of the site ).
https://www.grc.com/x/ne.dll?bh0bkyd2

Bad Ip header Recieved and Dos Attack alert Css11503

Hi,
I'm currently experiencing problems with my redundant CSS's I have logging setup to e-mail errors. Intermittently I receive the following messages;
JAN 16 10:22:08 1/1 1392227 IPV4-4: Ipv4MasterForwIphdrChk: Dest = 224.0.0.18,
Src = 192.168.99.2, DosAttack ILLEGAL SOURCE
JAN 16 10:22:08 1/1 1392228 VRRP-4: VrrpMain: bad IP header received, Bman free'd
From Previous post I noticed that there was a bug similar to this but I am currently using a version of software that is suppose to resolve this problem.
Web-CSS01# sh ver
Version: sg0720104 (7.20 Build 104)
Flash (Locked): 7.10 Build 3
Flash (Operational): 7.20 Build 104
Type: PRIMARY
Licensed Cmd Set(s): Standard Feature Set
Enhanced Feature Set
Secure Management
I would be very greatful form any help on this.

The bug you mentioned is realted to multicast traffic that the CSS does not understand.
In this case, this is traffic generated by a CSS.
This is VRRP, the protocol use for CSS redundancy.
I believe you opened a case for this and the suggestion (which is correct) is to have preempt only on one CSS not on both.
You could also experience this, if one side is not configured for redundancy.
So, check your config and make sure you apply the recommendations.
Regards,
Gilles.

Cisco 4404 WLC causing a DOS attack several times a day

Hi Everyone
Excuse if this is a duplicate post, but I have searched the forums, but no joy. I also posted it in wireless security as this is where I felt it fits.
Anyway onto my issue:
I manage a CISCO 4404 WLC with about 46 access points across our WAN. System works very well, serving trusted users, guests etc very well.
However, over the last month or two we have had an issue where we have had high load on our WAN.
We have traced this down to the CISCO 4404, about 3-4 times a day, the controller connects to every access point and transmits about 5-8mb of data on port 5427. This in itself would not be a problem, but it connects to all 46 at the same time.
Yes, 46 x 5mb = no WAN for about 2-5 minutes.
ARGH!
So can anyone sugest where I start to look? I am happy to post configs etc. Firmware 7.0.230
Cheers

Hi Steve
Yes it is the capwap port. The remote access points are in hreap mode and servicing trusted network access (802.1x) and guest access is tunnelled across the wan with local breakout from the 4404 via a dedicated vlan. The guest wireless is wpa2.
As the traffic originates from the 4404 and goes to all access points we don't believe it is a network breach. I always hate the phrase "it affects everyone", it usually does not, however in this instance the packeteer shows it does connect to every access point.
DNS is also configured so when new access points are connected they get auto join and get a base configuration.
This issue has been going on since at least Christmas and we put a packeteer box between our wan and our local network. We can say it is the 4404.

How to report possible Port scanning and DOS/Fraggle Attack??

I have been experiencing lag while surfing the internet. One temporary solution was to get a new IP from VZ but this fix was short lived. So I became curios and dtarted to log connection attempts to my router and noticed what I saw resembled port scans and even a Fraggle/DOS attack at times. I am posting my routers log below and would like to kno how to go about reporting this abuse and what I see as malicious activity?
Mar 29 00:34:16.843: %SEC-6-IPACCESSLOGP: list 115 denied tcp 112.216.99.210(60289) -> .(443), 1 packet
Mar 29 02:09:24.956: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(44315) -> .(80), 1 packet
Mar 29 02:14:54.973: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(44315) -> .(80), 4 packets
Mar 29 04:46:18.559: %SEC-6-IPACCESSLOGP: list 115 denied tcp 123.125.67.205(60157) -> .(80), 1 packet
Mar 29 04:51:54.975: %SEC-6-IPACCESSLOGP: list 115 denied tcp 123.125.67.205(60157) -> .(80), 1 packet
Mar 29 08:37:38.717: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(49683) -> .(80), 1 packet
Mar 29 08:42:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(49683) -> .(80), 4 packets
Mar 29 11:58:37.525: %SEC-6-IPACCESSLOGP: list 115 denied tcp 69.162.74.105(4529) -> .(80), 1 packet
Mar 29 12:00:33.395: %SEC-6-IPACCESSLOGP: list 115 denied tcp 209.216.8.220(8615) -> .(443), 1 packet
Mar 29 12:03:55.001: %SEC-6-IPACCESSLOGP: list 115 denied tcp 69.162.74.105(4529) -> .(80), 1 packet
Mar 29 15:09:06.512: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(39516) -> (80), 1 packet
Mar 29 15:14:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(39516) -> (80), 4 packets
Mar 29 20:06:44.831: %SEC-6-IPACCESSLOGP: list 115 denied tcp 190.30.227.242(45712) -> .(80), 1 packet
Mar 29 23:42:44.255: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(58914) -> .(80), 1 packet
Mar 29 23:47:54.968: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(58914) -> .(80), 2 packets
Mar 30 01:19:56.075: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48356) -> .(80), 1 packet
Mar 30 01:25:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48356) -> .(80), 2 packets
Mar 30 01:51:48.109: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(32276) -> .(80), 1 packet
Mar 30 01:56:54.968: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(32276) -> .(80), 2 packets
Mar 30 02:15:11.578: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48235) -> .(80), 1 packet
Mar 30 02:20:54.969: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48235) -> .(80), 2 packets
Mar 30 02:49:55.370: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(65092) -> .(80), 1 packet
Mar 30 02:55:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(65092) -> .(80), 2 packets
Mar 30 03:05:05.854: %SEC-6-IPACCESSLOGP: list 115 denied tcp 59.178.47.229(3152) -> .(23), 1 packet
Mar 30 03:10:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 59.178.47.229(3152) -> .(23), 1 packet
Mar 30 03:19:07.806: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(28767) -> .(80), 1 packet
Mar 30 03:24:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(28767) -> .(80), 2 packets
Mar 30 03:43:44.223: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(22501) -> (80), 1 packet
Mar 30 03:48:54.968: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(22501) -> (80), 2 packets
Mar 30 04:11:31.035: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(47011) -> .(80), 1 packet
Mar 30 04:16:54.970: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(47011) -> .(80), 2 packets
Mar 30 04:42:01.195: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(56753) -> .(80), 1 packet
Mar 30 04:47:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(56753) -> .(80), 2 packets
Mar 30 05:11:34.130: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35301) -> .(80), 1 packet
Mar 30 05:16:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35301) -> .(80), 2 packets
Mar 30 05:41:22.621: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(33024) -> .(80), 1 packet
Mar 30 05:46:54.970: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(33024) -> .(80), 2 packets
Mar 30 06:08:02.091: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54807) -> .(80), 1 packet
Mar 30 06:13:54.970: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54807) -> .(80), 2 packets
Mar 30 06:34:59.547: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(29217) -> .(80), 1 packet
Mar 30 06:40:54.969: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(29217) -> .(80), 2 packets
Mar 30 07:03:04.100: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54153) -> .(80), 1 packet
Mar 30 07:08:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54153) -> .(80), 2 packets
Mar 30 07:31:13.494: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17308) -> .(80), 1 packet
Mar 30 07:36:54.969: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17308) -> .(80), 2 packets
Mar 30 08:02:27.161: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48707) -> .(80), 1 packet
Mar 30 08:07:54.966: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48707) -> .(80), 2 packets
Mar 30 08:33:47.283: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(28540) -> .(80), 1 packet
Mar 30 20:04:23.585: %SEC-6-IPACCESSLOGP: list 115 denied tcp 115.89.213.165(22702) -> .4(22), 1 packet
Mar 30 20:21:10.696: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35592) -> .(80), 1 packet
Mar 30 20:26:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35592) -> .(80), 2 packets
Mar 30 20:52:52.313: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(25460) -> .(80), 1 packet
Mar 30 20:57:54.965: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(25460) -> .(80), 2 packets
Mar 30 21:30:11.984: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17145) -> .(80), 1 packet
Mar 30 21:35:54.963: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17145) -> .(80), 2 packets
Mar 30 21:43:27.829: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/1: the fragment table has reached its maximum threshold 16
Mar 30 21:43:27.889: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.200 -> . (0/0), 1 packet
Mar 30 21:48:54.965: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.213 -> (0/0), 1 packet
Mar 30 21:48:54.965: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.214 -> (0/0), 1 packet
Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.201 -> (0/0), 1 packet
Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.203 -> (0/0), 1 packet
Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.202 -> (0/0), 1 packet
Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.204 -> . (0/0), 1 packet
Mar 30 21:48:54.973: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.205 -> (0/0), 1 packet
Mar 30 21:48:54.973: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.206 -> (0/0), 1 packet
Mar 30 21:48:54.973: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.210 -> . (0/0), 1 packet
Mar 30 21:48:54.977: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.211 -> (0/0), 1 packet
Mar 30 22:01:32.255: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(30967) -> .(80), 1 packet
Mar 30 22:06:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(30967) -> .(80), 2 packets
Mar 30 22:10:18.301: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(31796) -> .(80), 1 packet
Mar 30 22:15:54.965: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(31796) -> .(80), 2 packets
Mar 30 23:03:12.464: %SEC-6-IPACCESSLOGP: list 115 denied tcp 88.208.220.10(55906) -> .(21), 1 packet
Mar 30 23:08:54.966: %SEC-6-IPACCESSLOGP: list 115 denied tcp 88.208.220.10(55906) -> .(21), 1 packet
Mar 31 00:41:30.769: %SEC-6-IPACCESSLOGP: list 115 denied tcp 115.89.213.165(35443) -> .(22), 1 packet
Mar 31 03:00:11.425: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(58521) -> .(80), 1 packet
Mar 31 03:00:12.527: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(42339) -> .(23), 1 packet
Mar 31 03:05:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(41726) -> .(23), 1 packet
Mar 31 03:05:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(59178) -> .(80), 1 packet
Mar 31 03:46:26.767: %SEC-6-IPACCESSLOGP: list 115 denied tcp 184.154.4.85(58071) -> .(80), 1 packet
Mar 31 04:12:08.935: %SEC-6-IPACCESSLOGP: list 115 denied tcp 109.104.74.10(51151) -> .(22), 1 packet
Mar 31 12:10:19.683: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(51886) -> .(80), 1 packet
Mar 31 12:15:54.960: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(51886) -> .(80), 4 packets
Mar 31 14:23:34.316: %SEC-6-IPACCESSLOGP: list 115 denied tcp 94.251.160.199(32941) -> .(443), 1 packet
Mar 31 14:28:54.962: %SEC-6-IPACCESSLOGP: list 115 denied tcp 94.251.160.199(32941) -> .(443), 1 packet
Mar 31 20:37:34.630: %SEC-6-IPACCESSLOGP: list 115 denied tcp 208.100.1.174(39803) -> .(21), 1 packet
Mar 31 20:40:49.542: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(53348) -> .(80), 1 packet
Mar 31 20:45:54.958: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(53348) -> .(80), 4 packets
Mar 31 21:18:03.788: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/1: the fragment table has reached its maximum threshold 16
Mar 31 21:18:03.832: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.200 -> (0/0), 1 packet
Mar 31 21:23:54.960: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 130.81.137.230 -> (0/0), 2 packets
Mar 31 21:23:54.960: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.202 -> (0/0), 1 packet
Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.201 -> (0/0), 1 packet
Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.204 -> . (0/0), 1 packet
Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.205 -> (0/0), 1 packet
Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.207 -> . (0/0), 1 packet
Mar 31 21:23:54.968: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.208 -> . (0/0), 1 packet
Mar 31 21:23:54.968: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.206 -> . (0/0), 1 packet
Mar 31 21:23:54.968: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.210 -> . (0/0), 1 packet
Mar 31 21:23:54.972: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.203 -> (0/0), 1 packet
Mar 31 21:57:25.351: %SEC-6-IPACCESSLOGP: list 115 denied tcp 115.89.213.165(59472) -> .(22), 1 packet
Mar 31 22:00:45.852: %SEC-6-IPACCESSLOGP: list 115 denied tcp 87.234.32.189(49412) -> .(25), 1 packet
Mar 31 22:05:54.959: %SEC-6-IPACCESSLOGP: list 115 denied tcp 87.234.32.189(49412) -> .(25), 1 packet

You're getting hit from IPs from everywhere, so there's no true person to ask in regards to this. Whoever had your IP last was probably up to no good, or it's possible for some reason your IP was targeted. Might also be possible that whoever had your IP last was running servers. My Dedicated server gets hit with this nonsense all the time. Sometimes it's an issue with someone trying to DoS one of the game servers I run on it. Causes lag for only a few seconds before the hardware firewall in front of the server kicks in and handles the rest. China I actually wound up blocking access to entirely for a month or two since I've hardly seen anything that wasn't a port scan or an SSH/FTP hacking attempt.
A few of those IPs are owned by Google and Microsoft, which implies there was probably an HTTP server at one point running on the IP you're using now.
========
The first to bring me 1Gbps Fiber for $30/m wins!

DoS attack

Similar Messages

Maybe you are looking for