Generated some Dos attacks: no correponding IDS event is generated

I installed and configured a Cisco IDS 4250 sensor.
Actually the sniffing interface has been placed on a lan segment residing on the internal network, so, by monitoring IEV logs, I could see lots of events, but all belonging to a few category of signatures, and quite all informational. That's why, In order to generate some more significant network activity to verify correct sensor behaviour, I placed my workstation running a vulnerability assessment tool (ISS Internet Scanner) on the outside vlan (where the sniffing interface resides), and issued several common dos attacks against one workstation residing on one of the inside vlans.
Some example of attacks generated are : SYN flood, Ping of death, UDP bomb, Land, Teardrop. I also generated a lot of tcp scan activity. Using Internet Scanner logs I verified that those attacks reached the destination machine.
The fact is that neither IEV default view nor "sh ev" sensor commands showed any event related to my activity. The only events generated by my workstation during my tests, matched signatures "NET FLOOD UDP" (maybe signame 6910) and signature with sig number 1107 (I don't remember the name). In both cases destination ip is multicast or broadcast address.
I verified that those signatures I was expected to match my attack packets were enabled (I verified so by "sh conf" command), so I don't see any reason why the sensor did not register any event related to the attacks I perpetrated.
Am I missing something ? Have anyone any idea to make me understand why the results are not the ones expected?
Thanks in advance and Regards
Marina

When a user complains that they are only seeing alarms with multicast or broadcast addresses, then this usually points to a sensor connected to a switch where Span has not been configured.
When the sensor is connected to a switch, the switch will normally only send broadcast and multicast (with an occasional unicast) packet to the sensor.
So the sensor is not being sent the packets created by your ISS scanner.
The switch must be configured to copy these packets to your sensor. This switch configuration is normally done through the Span or Monitor command. Check your switch configuration to see how to configure these commands on your switch.
If you are not connecting the sensor to the switch or believe that the Span configuration is correct, then the next step is to run tcpdump on the sensor and verify whether or not the packets are actually being sent to the sensor.
1) In older versions of the sensor you need to configure the sensor to monitor the interface (I think was changed in version 4.1(4) so the interface can still be monitored while tcpdump is used)
2) Create a service account
3) Login to the service account
4) Switch to user root (using same password as service account).
5) Type "ifconfig -a" and determine which interface is your sniffing interface.
6) Run "tcpdump -i " to start seeing packets coming in that interface.
7) Execute the ISS scan.
8) Look through the output of tcpdump to see if those packets are making it to the sensor.
9) If the tcpdump does not see the ISS packets, then either span is misconfigured or the switch is not plugged in where you think it is.
10) If the tcpdump is seeing the packets, then reconfigure the sensor to watch the interface again.
If you have verified that the sensor IS receiving the packets then the next step is to try and generate traffic that triggers specific signatures.
A side note:
Often times scanners can tell you about a vulnerability without actually executing the attack. The scanner checks OS version and patches to see if it is vulnerable, but does not send packets to actually attack the machine. Especially in cases where sending the attack itself would have caused the target machine to crash.
This type of reconaissance is often considered benign and will not trigger the alarm. An actual attack has to be executed against the vulnerability to fire the alarm.
So for your ISS scanner you should see some alarms, but will not likely see alarms for every vulnerability that the ISS notifies you about.

Similar Messages

Protect against DOS attack on NIO Server

I have a NIO server which recently underwent a DOS attack. The attack was very simply a packet flood in which a rogue engineered client sent a packet request to the system 80,000 times in about 5 seconds.
The packet was successfully ignored in the application code (it just logged it). Logging usually take the IP address but in this case using getInetAddress() on the socket channel returned null every time.
However, as far as future protection goes how could I modify the system to be able to withstand such attacks? Under normal operation the server would establish TCP socket connection with client on a public port. Then client sends login packet and if authorized client can send other request packets to get data and perform user actions (like chatting).
In this attack user did not bother to attempt to login and instead just sent many of the same data request packets over and over, causing the system to use up the thread pool and block other legitimate clients from now connecting. I am not expert in security like this, so what is best practice for making code stand up?
Some general questions I can think of:
- would using SSL help?
- some way to throttle client requests to a certain frequency or byte limit per second?
- should have one port for login and another for data requests after login succeed?
Thanks In Advance.

You can't use SSL with non-blocking NIO unless you want tackle the complexities of the SSLEngine (or use my Scalable SSL product), and in any case I'm not sure it would really help - it would just move the DOS attack into the SSLEngine handling. Separate ports won' t help either as there is nothing to stop the attacker using either of them, or both.
Maybe your best defence is to identify rogue packets as quickly as possible, and drop the entire connection if you get a bad packet (e.g. one where getInetAddress() returns null, although in fact I don't see how that is actually possible). You might proceed from there to logging rogue source addresses and dropping connections from them immediately.
I would also investigate what can be done in the firewall configuration.

Solution to Prevent the DOS Attack

Hello Experts,
We have our Production Servers placed at ISP DC where we are using Cisco ASA firewall model 5505 and all the servers placed behind the firewall.The bandwidth we have 100 MBPS and there is no IPS device in between.
Since long time, we have been experiencing some network issues and recently we detected the D-DOS attack affecting our Prod Services and now we are looking to have a solution to mitigate the attack.
Can somebody please suggest the solution which must be cheapest in the terms of COST to get this attack stopped?
We contacted to Radware on this but the solution that they are recommending is too expensive.
Can we achieve the solution by implementing the Cisco IPS module/appliance and will it work to prevent the D-DOS attack?
Whatever best solution you can recommend then please suggest and an early response on this would be highly appreciated as we need to have a quick solution.
Thanks.

Hello Ray,
Hope you are doing fine.
Okay the less expensive:
1- Using the MPF on the ASA set the limits for the amount of connections open to a server or the embryonic connections.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1414075
One a little bit more expensive:
2- Get the IPS module and prevent that by enabling the required signatures.
Side note: I would recommend you talking about this problem with your ISP so you can avoid getting this overload of traffic on your outside interface so bandwith can be used on the right traffic and connections.
Regards,
Julio Carvajal

Solution to Prevent the D-DOS Attack

Hello Experts,
We have our Production Servers placed at ISP DC where we are using Cisco ASA firewall model 5505 and all the servers placed behind the firewall.The bandwidth we have 100 MBPS and there is no IPS device in between.
Since long time, we have been experiencing some network issues and recently we detected the D-DOS attack affecting our Prod Services and now we are looking to have a solution to mitigate the attack.
Can somebody please suggest the solution which must be cheapest in the terms of COST to get this attack stopped?
We contacted to Radware on this but the solution that they are recommending is too expensive.
Can we achieve the solution by implementing the Cisco IPS module/appliance and will it work to prevent the D-DOS attack?
Whatever best solution you can recommend then please suggest and an early response on this would be highly appreciated as we need to have a quick solution.
Thanks.

Ray,
The only real option you have with the 5505 is the Cisco ASA AIP SSC-5 module. It should also help with the DDOS problem you find yourself with. You do need to understand that the 5505's and the AIP SSC-5 are EOL now.
You probably need to consider budgeting for upgrading this equipment in the near future....

Drop outs and - [DoS attack: ACK Scan RST Scan, Teardrop attack....]

Hi all Dropped a little excerpt of my router status log below.Basically the internet keeps dropping out, making streaming a pain in the a##....If anyone could offer advice, suggestions etc, Itd be greatly appreciated.  Our internet was flawless for three days at our new address, no drop outs stable, fair speed. however the last two days all of a sudden we are getting continual drop outs...?? I have done the usual basics, >Checked lines, Replaced and tested Cables, replaced with new filter and tested without filters.>Tested using three different modems (known working), Netcomm, Netgear, Telstra technicolour... All perform the exact same.>Updated modem firmwares, and powercycled all modems.>Factory reset each modem, >We dont have a static ip, so each time it drops there is a new ip, However after a while the DOS rubbish happens again and the internet drops out.)> Tested using PPPOA and PPPOE, might be luck, but pppoe seems better?>Tested using different line noise profiles. No change.Recently I also changed all the Wifi Security options so that only one pc is on the network, in case one pc is causing the drama?? >Now using a netgear DGND3700v2 (like it best lol)
  Connection stats:ADSL LinkDownstreamUpstreamLink Rate5442 Kbps923 KbpsLine Attenuation47.0 dB28.0 dBNoise Margin6.4 dB6.7 dB    Todays Status log:<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>[admin login] from source 192.168.0.3 Wednesday, July 15,2015 02:43:09
[DoS attack: ACK Scan] from source: 216.189.219.70:17005 Wednesday, July 15,2015 02:41:30
[DoS attack: ACK Scan] from source: 27.252.96.71:62655 Wednesday, July 15,2015 02:39:23
[DoS attack: ACK Scan] from source: 122.52.119.31:17560 Wednesday, July 15,2015 02:37:55
[DoS attack: RST Scan] from source: 179.184.140.115:16884 Wednesday, July 15,2015 02:30:12
[DoS attack: ACK Scan] from source: 17.132.254.11:5223 Wednesday, July 15,2015 02:29:46
[DoS attack: ACK Scan] from source: 17.132.254.17:5223 Wednesday, July 15,2015 02:29:11
[DoS attack: ACK Scan] from source: 17.132.254.17:5223 Wednesday, July 15,2015 02:28:48
[DoS attack: ACK Scan] from source: 17.132.254.17:5223 Wednesday, July 15,2015 02:28:27
[DoS attack: ACK Scan] from source: 104.16.21.35:443 Wednesday, July 15,2015 02:23:35
[DoS attack: ACK Scan] from source: 104.16.21.35:443 Wednesday, July 15,2015 02:23:04
[DoS attack: RST Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:22:00
[DHCP IP: (192.168.0.2)] to MAC address F0:25:B7:18:BF:90 Wednesday, July 15,2015 02:21:24
[DoS attack: ACK Scan] from source: 60.240.152.126:443 Wednesday, July 15,2015 02:18:07
[DoS attack: ACK Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:16:46
[DoS attack: ACK Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:14:46
[DHCP IP: (192.168.0.3)] to MAC address DC:85E:02:CE:18 Wednesday, July 15,2015 02:14:25
[DoS attack: ACK Scan] from source: 207.46.11.151:443 Wednesday, July 15,2015 02:13:56
[DoS attack: ACK Scan] from source: 173.252.102.16:443 Wednesday, July 15,2015 02:13:33
[DoS attack: ACK Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:12:46
[Time synchronized with NTP server time-g.netgear.com] Wednesday, July 15,2015 02:12:46
[DoS attack: ACK Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:11:45
[DoS attack: ACK Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:11:15
[DoS attack: ACK Scan] from source: 27.111.254.110:5223 Wednesday, July 15,2015 02:10:45
[Internet connected] IP address: 123.211.78.198 Wednesday, July 15,2015 02:10:12
[DSL: Up] Wednesday, July 15,2015 02:10:07
[admin login] from source 192.168.0.3 Wednesday, July 15,2015 02:09:49
[UPnP set event:AddPortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:27
[UPnP set eventeletePortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:27
[UPnP set event:AddPortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:27
[UPnP set eventeletePortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:27
[UPnP set event:AddPortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:22
[UPnP set event:AddPortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:22
[UPnP set event:AddPortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:22
[UPnP set event:AddPortMapping] from source 192.168.0.3 Wednesday, July 15,2015 02:09:22
[DHCP IP: (192.168.0.3)] to MAC address DC:85E:02:CE:18 Wednesday, July 15,2015 02:09:22
[DHCP IP: (192.168.0.2)] to MAC address F0:25:B7:18:BF:90 Wednesday, July 15,2015 02:09:14
[Initialized, firmware version: V1.1.00.23_1.00.23 ] Wednesday,   YESTERDAYS: I removed the ADSL password from the modem last night so that it wouldnt connect? If that makes any diference>>>>>>>>>>>>>>Status Log<<<<<<<<<<<<<<<< [UPnP set eventeletePortMapping] from source 192.168.0.4 Tuesday, July 14,2015 12:53:36
[DoS attack: ACK Scan] from source: 181.208.125.20:51345 Tuesday, July 14,2015 12:39:23
[DoS attack: Teardrop Attack] from source: 173.169.23.13:56601 Tuesday, July 14,2015 12:39:08
[DoS attack: Teardrop Attack] from source: 173.169.23.13:56601 Tuesday, July 14,2015 12:39:08
[DoS attack: Teardrop Attack] from source: 77.163.26.201:59976 Tuesday, July 14,2015 12:35:41
[DoS attack: Teardrop Attack] from source: 77.163.26.201:59976 Tuesday, July 14,2015 12:35:41
[DoS attack: Teardrop Attack] from source: 77.163.26.201:59976 Tuesday, July 14,2015 12:35:19
[DoS attack: Teardrop Attack] from source: 77.163.26.201:59976 Tuesday, July 14,2015 12:35:19
[DoS attack: Teardrop Attack] from source: 77.163.26.201:59976 Tuesday, July 14,2015 12:35:17
[DoS attack: ACK Scan] from source: 178.167.254.109:55704 Tuesday, July 14,2015 12:35:16
[DoS attack: ACK Scan] from source: 197.89.134.91:54291 Tuesday, July 14,2015 12:33:14
[DHCP IP: (192.168.0.4)] to MAC address DC:85E:02:CE:18 Tuesday, July 14,2015 12:26:04
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:21:34
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:19:40
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:19:40
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:19:39
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:19:39
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:19:39
[DoS attack: Teardrop Attack] from source: 23.119.204.188:48371 Tuesday, July 14,2015 12:19:38
[DoS attack: RST Scan] from source: 174.16.237.129:51413 Tuesday, July 14,2015 12:16:09
[UPnP set event:AddPortMapping] from source 192.168.0.4 Tuesday, July 14,2015 12:13:30
[UPnP set event:AddPortMapping] from source 192.168.0.4 Tuesday, July 14,2015 12:13:30
[DHCP IP: (192.168.0.4)] to MAC address DC:85E:02:CE:18 Tuesday, July 14,2015 12:13:24
[DoS attack: ACK Scan] from source: 106.10.198.32:443 Tuesday, July 14,2015 12:11:54
[DoS attack: ACK Scan] from source: 23.53.154.185:443 Tuesday, July 14,2015 12:10:51
[DoS attack: ACK Scan] from source: 23.53.154.185:443 Tuesday, July 14,2015 12:10:20
[DHCP IP: (192.168.0.3)] to MAC address 48:5A:3F:62:F2:E9 Tuesday, July 14,2015 12:09:38
[DHCP IP: (192.168.0.2)] to MAC address F0:25:B7:18:BF:90 Tuesday, July 14,2015 11:54:14
[DoS attack: ACK Scan] from source: 94.23.38.22:25565 Tuesday, July 14,2015 11:52:04
[DoS attack: RST Scan] from source: 54.192.133.206:443 Tuesday, July 14,2015 11:50:57
[DoS attack: ACK Scan] from source: 167.114.0.26:51127 Tuesday, July 14,2015 11:44:05
[DoS attack: RST Scan] from source: 54.192.132.41:443 Tuesday, July 14,2015 11:39:42
[DoS attack: RST Scan] from source: 179.60.193.52:443 Tuesday, July 14,2015 11:36:55
[DoS attack: RST Scan] from source: 54.192.134.28:443 Tuesday, July 14,2015 11:36:27
[DHCP IP: (192.168.0.2)] to MAC address F0:25:B7:18:BF:90 Tuesday, July 14,2015 11:29:31
[DoS attack: ACK Scan] from source: 178.32.34.50:80 Tuesday, July 14,2015 09:04:57
[DoS attack: ACK Scan] from source: 52.68.183.36:5223 Tuesday, July 14,2015 08:53:04
[DoS attack: ACK Scan] from source: 52.68.183.36:5223 Tuesday, July 14,2015 08:52:25
[DoS attack: ACK Scan] from source: 17.132.254.15:5223 Tuesday, July 14,2015 08:38:45
[DoS attack: ACK Scan] from source: 17.132.254.15:5223 Tuesday, July 14,2015 08:38:10
[DoS attack: ACK Scan] from source: 17.132.254.15:5223 Tuesday, July 14,2015 08:37:37
[DoS attack: ACK Scan] from source: 167.114.0.26:51227 Tuesday, July 14,2015 08:22:34
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 08:11:56
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 08:11:33
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 08:04:20
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 08:02:20
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 08:00:19
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 07:58:19
[DoS attack: ACK Scan] from source: 202.108.23.105:5287 Tuesday, July 14,2015 07:56:03
[DoS attack: ACK Scan] from source: 66.135.213.210:443 Tuesday, July 14,2015 07:54:45
[DoS attack: ACK Scan] from source: 179.60.193.2:443 Tuesday, July 14,2015 07:54:21
[Time synchronized with NTP server time-g.netgear.com] Tuesday, July 14,2015 07:54:03
[DoS attack: ACK Scan] from source: 66.135.211.97:443 Tuesday, July 14,2015 07:54:00
[Internet connected] IP address: 121.222.126.130 Tuesday, July 14,2015 07:53:32
[DSL: Up] Tuesday, July 14,2015 07:53:27

We have had same issues over last 3 days and now. We are in Tamborine Village QLD.

Getting logs for DOS Attack:Sync Attack on cisco CSS 11501 frequently.

Hi ,
Since couple of weeks , i am getting below DOS attack logs on cisco CSS.Can anyone help me out about how can we avoid this? and how to deal with it.
04/23/2011 17:27:28:Enterprise:DOS Attack:SYN Attack -> 10 times
04/23/2011 17:30:15:Enterprise:DOS Attack:SYN Attack -> 10 times
04/24/2011 11:20:32:Enterprise:DOS Attack:SYN Attack -> 11 times
04/24/2011 11:24:48:Enterprise:DOS Attack:SYN Attack -> 12 times
04/24/2011 15:30:42:Enterprise:DOS Attack:SYN Attack -> 10 times
Thanks
Manish

Hi Nicolas,
Why i am asking about DOS attack as i am facing some issues for the 2 VIPs configured in cisco CSS 11501.
Can you help me troubleshooting the issue?
I have coming across some Load Balancing issues for the 2 VIPS configured on Cisco CSS11501.
We have cisco CSS 11501. We have 2 VIPs configured on it for FE and BE servers.Now Client calls to FE VIP and LB forwarding it to server and then FE server calls the BE VIP which goes through the same LB and forward to BE server under the VIP.When we start load test, we have observed after 2 hour test, application team getting HTTP timeout.As this application is used by Call center so getting timeout is bad.
Need to troubleshoot this issue if there is any problem from LB End.
Please find the attached file for VIP configs.

IDS Event viewer error

Hi All
Please help me out with this .I am getting attached IDS Event viewer error while trying to install it .Please let me know the probable causes and how to rectify the same
Regards
Ankur

At what stage of installation are you seeing this error?
It appears that a SSL certificate has expired, or an applet has a digital signature based on a certificate that has recently expired.
If you can provide recreation steps then we can figure out what certificate is expiring, and determine the next steps in resolving your issue.
Without knowing anything else my best guess at this point is that the SSL certificate on your sensor has expired. If the sensor has been deployed in your network for over a year, then this jsut could be the standard expiration of the SSL certificate on your sensor. Try conneting from a web browser directly to your sensor. When your web browser connects it should warn you if the sensor certificate is expired. If this is the case then ssh or telnet to the sensor and execute: "tls generat-key" to enforce the creation of a new SSL certificate for your sensor.
If the error is not from an expired SSL certificate, then it is from other certificate or digital signature and we will need to try and recreate in our lab.
Once you provide us with re-create steps, then there is something you might try for a short term solution as we try to re-create.
You might try setting the date/time on your PC to a few days ago. The certificate appears to have expired on April 23rd so setting it back to April 20th may make the error go away. I am not positive this will work, but may be worth a shot if you need access immediately and can't wait a day or 2 as analysis is done. This is not a permanent solution and would just be a temporary workaround as we try to analyze what certificate is expiring.

DoS attacks in java(urgent)

I am an undergraduate student and currently working on network security project based on denial of service attacks in java. I have established a client/server connection and now want to capture all incoming packets at the receiving end(server) and then monitor them for DoS attack..Is it possible if anybody could help me a little bit in this as soon as possible. I know JPCap class would be a better option but i don't know how to deploy it in my current code..Thanks
Please email me on [email protected]
Regards,
Sameen Khan

Dear Salpeter,
Ok if you think i'm not close to it then u can help
and guide...I have been through several books on DOS
attacks. I know about its theory but don't know how to
code in java.....actually this is my term proj, which
is due in a week or so.......just couldn't do it
although i'm good at simple java but not java in
networking security....if you know any website where i
could get its complete code for help then plz tell
me...thanksWhat have you been doing all term? Due in a week? And you don't know Java? Sounds like you're screwed.
How will your prof feel about you downloading someone else's complete code and turning it in as if it were yours? Where I come from we call that "cheating".

IDSMC 2.0.1 How to see the total IDS Events in Database

If I:
1.
In "Security Monitor" - "Data Management" - "Database" - "Rules" specify a trigger condition "Notify via e-mail" and set the trigger action "Total IDS events in database exceed" to 50000
2.
Then in the "Security Monitor" - "Monitor" - "Events" - Lanch Event Viewer with "Event Start Time" set to "At Earliest".
3.
And deletes all events from database. Then after a while the trigger action for 50000 IDS events is triggered and send the e/mail notification even though I only see a few thousand event in the in the Security Monitor.
4. Is this a bug (that the Security Monitor only show a few thousand events) or is the another way to see the total number of IDS events in the database ?
Thanks
Gert

This document should explain it better,
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon20/ug/ch04.htm#wp322337

I have an older phone, the Iphone 4. For some reason, all of my calendar events are gone. I can't see old, present or future events. Help me please. I need this information.

I have an older phone, the Iphone 4. For some reason, all of my calendar events are gone. I can't see old, present or future events. Help me please. I need this information.

Please please help me, if you know how.

We got some error while fetching your calendar events.

We got some error while fetching your calendar events. Please try again. Please try again.
Suddenly I receive the above message and cannot access my calendar list of events although the calendar itself is displayed. I have closed down several times but the message persists.I am using MAC OSX Snow Leopard/ Firefox 4.01

I have this same problem. Using XP Home SP3 and Firefox 8.0

How to dowload IDS event viewer 4.1?

Dear Sir,
I have IDS 4215 now I can access to IDM by IE6 but I don't know how to dowload IDS event viewer.
Can you help me,
Thanks very much
NhuongPham

The addition of IEV and the IEV signature updates made the sensor updates to large (sometimes doubling the size of the updates).
We have several customers that are monitoring sensors on a global network.
Many of the sensors are connected through low bandwidth connections.
The large updates were causing delays in getting signature updates loaded on these remote sensors.
It became a priority to reduce the size of the updates needing to be pushed to the remote sensors.
These customers are generally using Security Monitor rather than IEV because of the large number of sensors being managed.
So the customers who were not using IEV were having problem because of the additional IEV files having to be pushed to their sensors when they would never use these IEV files.
So it was decided to remove the IEV updates from the sensor updates and separately post these on CCO.
IEV customers were already having to make 2 downloads: the sensor update download from CCO, and the IEV download from the sensor.
So now both downloads are just made from CCO.

Stopping DOS Attacks - Methods?

Does anyone have any helpful tips on stopping Denial of
Service attacks. What is mean is this --
If someone sits there in their browser and hits REFRESH 100
times on a page that requires a lot of database interactivity, it
can bring down your server pretty quick. ColdFusion connections sit
in a queue and keep running and running and running.
Is there a way that if someone hits REFRESH on a page, that
it stops the query that is running and starts it again for that
user?
Looking forward to some thoughts on this.
Sincerely,
Ray

rmajoran wrote:
> Does anyone have any helpful tips on stopping Denial of
Service attacks. What
> is mean is this --
>
> If someone sits there in their browser and hits REFRESH
100 times on a page
> that requires a lot of database interactivity, it can
bring down your server
> pretty quick. ColdFusion connections sit in a queue and
keep running and
> running and running.
>
> Is there a way that if someone hits REFRESH on a page,
that it stops the query
> that is running and starts it again for that user?
>
> Looking forward to some thoughts on this.
>
> Sincerely,
> Ray
>
Make use of data and response caching techniques so that the
page does
not need to be completely re-built for each and every
identical request.
Make use of form validation that prevents the resubmitting of
forms.
Make use of web server and|or router techniques that mitigate
DOS type
attacks.

DOS Attack Behavior and CSS11506

Some Security Guy decided this morning to make a full scan for any exploits using Nessus the *NIX tool.
After he reached our two CSS11506 the both deny http, ftp or ssh sessions. The Content Redirection is still working allthough some user report it being slower than usual. Using the serial console connection i can still access the CLI.
Q: Is the behavior of not accesible services like ftp,ssh,http,etc. the cause of an successful exploit or is this a "shutdown" by design.
If this is a design behavior, can i resume the previous behavior with a command in config or priviledged mode? My current option is only a restart of both CSS.
Log from today:
MAY 3 11:05:51 1/1 1494 NETMAN-4: Did not receive identification string from <Source IP>
MAY 3 11:05:51 1/1 1495 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs.
MAY 3 11:05:51 1/1 1496 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs.
MAY 3 11:05:51 1/1 1497 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs. GET / HTTP/
1.0
MAY 3 11:06:02 1/1 1498 NETMAN-4: Protocol major versions differ for <Source IP>: SSH-1.99-OpenSSH_3.0.2p1 vs. SSH-9.9-Nes
susSSH_1.0
MAY 3 11:07:33 1/1 1509 NETMAN-0: Read from socket failed: errno = 0x36
MAY 3 11:09:22 1/1 1510 NETMAN-4: Did not receive identification string from <Source IP>
MAY 3 11:17:05 1/1 1511 NETMAN-0: Couldn't obtain random bytes (error 604389476)
MAY 3 11:17:05 1/1 1512 NETMAN-0: key_free: bad key type -1899582736
MAY 3 11:17:05 1/1 1513 NETMAN-4: Did not receive identification string from <Source IP>

Too bad regarding the design issue, that means i have to restart both CSS.
When i last checked the VIP Adresses and show summary everything was looking normal. The two css are still running with bugged ssh/http service but content redirection is still working fine. That is at least the most important thing about it.
The "attack" was only this morning so everything is okay by now. But before rebooting the machines i wanted to verify if this was on purpose or like it seems to be an DOS Exploit in some way.
Regarding the Update i will check that out tomorrow. If you would like some special information for debugging purpose just let me know before i will restart the machines.
Thanks for the Feedback,
Roble

No audio for some files in the Final Cut Event/Original Media folder

Hi, recently, I noticed that some of the video files stored into the Final Cut Event/"Event"/Original Media folder had no audio. They do have audio when I read them into FCP X but not when I open them as ordinary files in the Finder. It worries me as it makes these files unusable in any other application, unless I "share" them from FCP X. It's no big deal but it's more work and on the principle, it's criminal: why FCP X would strip the audio off an original? Video and photo applications now work on the non-destructive principle!
I usually shoot videos with a DSLR (Canon 550D/T2i) and a GoPro 3. It seems that the files impacted are the ones shot with the Canon and optimized for FCP X. The GoPro files are fine, optimized or not.
Is there any solution to this problem or will I have to export the files from FCP X?

Thank you very much for the info.
I removed the Media Cache and Media Cache File folders. Didn't seem to make any difference. Also, there's no audio if I try to play it in Organizer.
I have a question regaring "import". What exactly does that mean?
Since all my MTS files are on hard drive already, what I did was:
1) Open a new project in PE9.
2) In the "Organize" tab, click "Get Media"
3) Choose "Get Videos/Photos/Audio from: Files and Folders".
4) In the pop-up window, navigate to my folder and choose the existing MTS file.
Was that called "import"?
Thank you again!
Michael

Generated some Dos attacks: no correponding IDS event is generated

Similar Messages

Maybe you are looking for