Protected servers under syn attack!!

Similar Messages

• Forefront TMG detected a possible SYN attack and will protect the network accordingly

  Hi ,  Some times here internet is not working for using through TMG 2010. but Local Host Internet is working. then it should restart the 
  Microsoft Forefront TMG Control with related Services. then again users can access the Internet  through TMG.
  I check the Event Viewer in Server. it shows below Error Log.
  Forefront TMG detected a possible SYN attack and will protect the network accordingly
  what should for this ?
  Regards, COMDINI

  Hello,
  An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server and not completing the TCP handshake, leaving the TCP connections half-open.
  Please enable logging to identified this hosts and then check if it is infected by viruses or malware programs.
  Please see the value of the number of Maximum half-open TCP connections in Flood Mitigation settings for more information.
  Once your problem is solved, you have to see "Forefront TMG is no longer experiencing a SYN attack." message.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Microsoft Student Partner 2010
  / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator:
  Security
  Microsoft Certified Systems Engineer:
  Security
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows 7, Configuring
  Microsoft Certified IT Professional: Enterprise
  Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• How do you protect yourself against DDOS attacks?

  I'm starting a new job soon for an employer who has had the occasional ddos attack against their website.
  Anyways I was wondering, how do you guys protect yourselves against ddos attacks?
  The way my employer fought against it last time was rather unelegant and a sort of lucky situation. They noticed that all the attacks came from IPs which where located in foreign countries, so they simply blocked entire ip ranges which werent from the country they were providing the service for.
  This seems like quite a drastic measure to me. After all, one goal of my employer is to become more international, and even if you cater only to local clientele, plenty of legitimate users could be across the border.
  Specifically protecting Apache against DDOS attacks is what I would be interested in.
  Can anyone suggest some software or setup I should research for this?

  A colleague of mine recently had one of his own servers under a DDOS attack. Nginx helped out a bit. But the holy grail in this case was Fail2ban.
  Now, usually a DOS would mean that massive requests are issued within a short time. Such behaviour is easily identified and blocked. But how do you react when its distributed and each individual node is issueing requests at a normal rate?
  Well in my tests I came to the conclusion that its all about the difference in typical behaviour of legitimate visitors to a site and automated requests as in the case of a DDOS attack.
  For example, while a DOS bot might not issue requests at an alarmingly high rate (slow and steady wins the race), but will continually issue requests for hours.
  So rather than trying to catch "burst" behaviour with requests crossing a certain threshold in a short amount of time, I instead configured fail2ban to check for IPs which crossed a certain threshold after an hour, and then block that IP for 24hours.
  It might take a while to find the sweet spot. And it wont be effective immediately. But with a little patience the blocklist started to fill up, and after a few hours the DDOS'ers seemed to have run out of IPs from which to attack.
  It makes sense if you think about it. A legitimate human user, will go to a site, and spend most of their time reading content, rather than klicking links. Well, usually anyways.
  Also, I've noticed that bots always seem to hit the same URL. Meaning, the main url of the site, and not selecting any links within the site. While I suppose that it would be trivial to configure a bot to act more legitimately and have it actually klick through all available links, I think it kind of defeats the purpose. Or at least most script kiddies won't go that far.
  If you know your way around with REGEXP, I'm sure you could come up with some really nicely custom-tailored rules for fail2ban to use in identifiying and blocking ips. So for example, rather than simply counting ANY connection made in the http logs, you could concentrate on IPs which only and continually access the main the url, over and over again.
  Legitimate users will most likely click on other links as well, so if you manage to exclude these kinds of accesses from Fail2ban's counting mechanism, you minimize the chance of locking out legitimate users.

• CSS 11050 SYN Attacks and auto-reboot

  Running software version 5.00 build 2 to load balance two web servers. The DOS log shows SYN attack activity--with one incident logging 62 "attacks". I read that if this value reaches a threshold, then the machine will reboot. Can someone tell me what the guidelines are for this? Are there any other events that can cause the switch to auto reboot? Thanks!

  First, you should definitely upgrade.
  5.0(2) is VERY VERY OLD.
  Next, a box never reload by itself on purpose or because it reached a certain threshold.
  If there is an auto-reboot, this means the box crash and this is not normal.
  Gilles.

• Duplicate SYN attacks from Outside to Outside

  Hi Everyone,
  We have an FTP server that sits in our DMZ.  This Server has a DMZ interface and an external interface.  When trying to access the server from the internet on its external address i am getting alot of Duplicate SYN attacks.  They seem to be coming all from the same source and port to the same destination and port.
  As part of the testing i first took out any references to the FTP server in my Access rules on the ASA.  I then tried to FTP to the server from an outside internet connection and as expected get the following in the log:
  4
  Mar 01 2013
  10:23:18
  194.80.130.xx
  46867
  78.24.112.XX
  21
  Deny tcp src outside:194.80.130.XX/46867 dst outside:78.24.112.XX/21 by access-group "outside_access_in" [0x0, 0x0]
  I then highlighted this entry and created an access rule for it (but changed the source port to any rather than a specific one).  When i then try and FTP to the server i get lots of SYN attacks which says the following:
  4
  Mar 01 2013
  10:27:29
  194.80.130.XX
  46973
  78.24.112.XX
  21
  Duplicate TCP SYN from outside:194.80.130.XX/46973 to outside:78.24.112.XX/21 with different initial sequence number
  I am not sure why I am getting duplicate SYN attacks.  I have similar servers in the DMZ that do the same thing and they seem to be working fine.  I am pretty sure this is not actually a DOS attack.  I also have spoken to the team who manage the server and they have confirmed that the external IP is setup correctly on the server (its not that the external IP does not exist and just loops).
  There is also NAT'ing setup on the ASA that NATs the dmz IP to the external IP and vice versa.
  I have also noticed that whenever i create a new rule on the outside interface on my ASA it automatically adds the same descripton from another rule on the outside interface.  What does this mean?  Why could it be copying a description from anothe rule?
  Your advice would be much appreciated.

  Output from packet-tracer to outside address 78.24.112.xx 
  It seems as though the NAT to the DMZ address is just not working.  I have set a NAT rule up "before network object NAT" rule and also set a simple object NAT, but still getting the error.
  Phase: 1
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_in in interface outside
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any object csdpr1ft-ext
  object-group service DM_INLINE_SERVICE_7
  service-object tcp destination eq ssh
  service-object ip
  service-object tcp destination eq ftp
  Additional Information:
  Phase: 2
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 3
  Type: INSPECT
  Subtype: inspect-ftp
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect ftp
  service-policy global_policy global
  Additional Information:
  Phase: 4
  Type: FOVER
  Subtype: standby-update
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 26135657, packet dispatched to next module
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  Action: allow

• CSS wrongly reports SYN attacks

  Hi all,
  in our environment we have a CSS 11800 which is connected to 3 servers which are all running the same
  services. Every night there is a log rotation and therefor the services are taken down one by one.
  The CSS forwards traffic to the service even if it's down.
  From the time the sevice is down i can see always a huge amount of SYN attacks reported in the traplog.
  The reason for this is that the server sends a RST for every SYN request (which is normal as the port
  is down).
  We are running on SW version 5.00 build 63.
  Can you tell me how long it takes until the CSS detects the service as down and if there is a newer release which maybe detects a RST as a valid response to a SYN and therefor doesn't report a SYN attack.

  I don't see why you do not shutdown the service manually during maintenance ?
  Regarding how fast the CSS detect a service down it depends on the sort of keepalive you have configured.
  If you are using icmp keepalive the CSS may still believe the service is active if it continues to respond to ping.
  Again the fastest way for the CSS to detect a service down is to configure it be down.
  No release will accept the RST.
  This is your job to make sure the CSS does not forward traffic to a service down.
  Gilles.

• SYN attack

  Hi All,
  I have router and inside interface is connected to firewall.
  Last week i had attack one of my internal server  and i also loosing connectivity to inside interface of the firewall.
  But today suddenly internet was down when checked link was up but i  also not able to ping to router inerface.
  When checked in firewall there was a log indicating SYN attack but source and destination ip was not mentioned.
  Can anybody suggest.

  Prevent the attack itself ?
  No
  Mitigate the impact on services ?
  to some extent yes. read the link below
  The agressor can always oversaturate your internetlink.
  It is just a numbers game, a SYN packet size is X your link has size Y and can traverse Z packets per second.
  Then the agressor just needs to send enough syn packets through to eat up the resources of Y or Z wichever comes first.
  However that is not the normal way of using syn attacks since there are faster ways to oversaturate the link.
  the normal way of using syn attacks is to steal resources away from the server that is under attack by not establishing a full tcp connection.
  This is mitigated in the firewall who sits inbetween the agressor and the server and answers the Syn packets and only lets through the ones that are legit.
  http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html
  Good luck
  HTH

• I am using dreamweaver cs6 is it protected from various hacker attacks such as sql injection,xss,?

  i mean if i built a site using php and sql using dreamweaver cs 6 ...will it be protected from various hacker attacks such as sql injection,xss,spoofed form input,etc..?? if it is not protected...tell me where can i learn to protect my website using php and sql....from all types of hacker attacks...help needed.... thank you..:)

  A couple more comments.
  To guard against most of these security risks, you have to completely sanitize any user input whether processed further on subsequent pages or added to a database.  That complete sanitization usually involves stripping out any HTML/JavaScript, and blocking SQL-crashing equalities/inequalities.
  You can get alot of information about these and other methods on the Dreamweaver AppDev forum -
  http://forums.adobe.com/community/dreamweaver/dreamweaver_development?view=discussions
  which is where most server-scripting topics are discussed.

• CSS false syn attack behavior

  Hi all,
  We are having an issue with our CSS11501,version sg0810106.
  our web app is using alot of web requests (up to one every 15 seconds )
  for some reason occasionally our session is being dropped, and we can't connect for few minutes.
  i just found out that the source ip address of the client is showed as a source for "syn attack" when i issue "show dos".
  does the CSS block my legitimate traffic as suspected syn attack?
  if so how can i work around it?
  why does it pick it as syn attack how can i improve its false detection?
  Can anyone help me with this?
  thanks,
  Lior

  Thanks Gilles,
  Indeed the CSS doesn't block anything (I wish it would have been more explicit in the documents, except writing that the dos feature cannot be disabled).
  However It was a problem that caused by the CSS and I write this here just in case someone else will encounter the same.
  I use CSS for many years now, but this is the first time that i used it on a very connection intensive application and in such an envirounment, and this is why the issue became a visible problem.
  CSS and ASA was connected on the same network, with the CSS interface configured as a default gateway on the hosts.
  However the CSS sends ICMP redirects packets to the hosts injecting a "better" route to different external IP addresses using the ASA interface IP address. That cause connections from different IP addresses to be blocked for a period of 10 minutes (default time that an ICMP redirect injected route will stay in the routing table of windows server2003) because the routing table on the host has a "better" route which is not the CSS's interface.
  Together with the fact that I was using sticky session content rule based on sticky-srcip, that caused an outage for 10 minutes for different IP addresses on a regular basis.
  I have sorted it out by disabling icmp Redirect on the windows hosts registry:
  "\\HKLM\system\CurrentControlSet\Services\Tcpip\Parameters\"
  change EnableICMPRedirect to "0" by default its "1"
  reboot the hosts, and you will see an immediate drop in syn attack indications on the CSS, hinting that the problem has been solved.
  I read somewhere that there's an option to disable ICMP redirect packets from the CSS as well, but the other trick did that for me.
  Thanks again gilles for your enlightment
  Regards,
  Lior

• Can't remove known password (v11); no Protection option under Tools, no check boxes in Security tabs

  Hello,
  I am unable to remove a known password on a document (using version 11.0.3 currently, but also on older versions).  I have no "Protection" option under Tools and I see no "Remove Security" check boxes (or any check boxes) in the Security tabs.  Any help would be greatly appreciated...thank you!

  That's the reason, but it isn't new. No version of Reader has ever been able to change security settings. I'm guessing you used to have a copy of Adobe Acrobat (which looks similar but can do more).

• Script for putting servers under Maintiance mode in SCOM 2012

  Hi,
  Could someone pls help me out for putting windows servers under maintiance mode by using poweshell script. We have nearly 300 windows servers and needs to be put in maintiance mode as there was a scheduled activity. We are using scom2012 server.  I
  have gone through other sites and see some poweshell scripts. As am not good in scripting, pls help me out
  Regards, Rajeev Parambil

  Hi,
  Hope the below links can be useful for you:
  SCOM maintenance mode setting for list of servers
  http://blogs.technet.com/b/markmanty/archive/2012/05/14/scom-maintenance-mode-setting-for-list-of-servers.aspx
  Put Agents in Maintenance Mode using Remoting Powershell
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/2171ef8f-4a7f-4ec0-8d35-d5a903884dff/put-agents-in-maintenance-mode-using-remoting-powershell-?forum=operationsmanagergeneral
  Regards,
  Yan Li
  Regards, Yan Li

• ASA5505, SYN attack, ISP and IPS module

  Our 5505 is currently being hit by a SYN attack from surprise, surprise, China.  The attack easily brings down the 5505 by hitting the 10,000 connection limit of the box.  I am currently using the shun command to try to mitigate the problem but it is not much help.  It converts the 10,000 connections into 12-15k dropped packets per second which doesn't crash the box but pretty much makes it unusable. 
  I have seen some examples on using service policies to set connection and embryonic limits but I don't think they will work for me because the attacks come from several IPs and use several different ports.  The attacks don't seem to be pinpointing any particular server or service.  Seems like just basic DoS of our service.  Besides, the feedback from people who have tried this doesn't seem too convincing.
  So I have two questions:
  1) My ISP is unwilling and/or unable to do anything.  They suggest I email the abuse mailbox from the offending ISP.  Just for grins, I did send an email and it promptly came back marked "mailbox full" which is quite funny I thought.
  2) Will adding the IPS module help here?  I am hoping that the processing of the dropped packets would move to the module and leave the main processor of the ASA free to do its usual NAT and firewall functions.
  Any and all advice is welcome.
  Thanks,
  Diego

  Hi Diego,
  As Julio mentioned, info has to be there. Do you have the 'show xlate' when the issue was seen? In such cases, along with xlate table, you can check connection for hosts making unusual number of connections (show connection count/show connection all). Here are few useful commands in such scenarios:
  show local-host connection udp 100-10000          << Gives host with total UDP connections b/w 100-1000
  show local-host connection tcp 100-10000          << Same info for hosts making TCP connections
  show local-host connection embryonic 100-10000    << hosts with 100-1000 embryonic connections
  Change the range as per need.
  Sourav

• Hi. I  install torrent programme and i think my mcbook in under virus attack,What can ı do?

  hi. I  install torrent programme and i think my mcbook in under virus attack,What can ı do?

  Downloaded files distributed via torrents very frequently contain malware. It is not possible for anyone on this support site to provide you absolute assurance that your Mac has not been affected by malicious software. Also, there is no product that can examine your Mac and selectively delete potentially malicious software.
  Therefore, I can only recommend that you erase your Mac completely and reconfigure it from the ground up. If you created a backup prior to installing and using the torrent software, now is the time to use it.

• Hi blog server is under DDoS attack.

  Hi blog server is under DDoS attack. It is nginx with fastcgi with wordpress. Any idea how to tune nginx to reduce damage?

  James Spong wrote:
  make sure that all users have strong passwords with a combination of caps,
  lowercase number and letters. This is especially important for 'core' addresses, such as root, admin, > info etc
  Wait a minute. You should *never* allow remote (external) login for root. If you really must then
  setup dsa ssh keys and disallow access via password & disable use of PAM in /etc/sshd_config
  and limit root access to local IPs (ie: IP ranges owned by your ISP for example).
  Same is true for admin.
  _Do NOT send or receive email as root !!!_
  As for properly securing ssh, better to login as a non-admin account and then su to your admin account.
  Don't use "admin" for your admin account-name.
  And yes of course use strong passwords, but you want to get away from allowing ssh access via password anyway.
  It's not as perfect as I'd like (couldn't edit it after the fact), but see my post about securing ssh
  http://discussions.apple.com/thread.jspa?messageID=7082312&#7082312

• SNMP - Scan and Syn Attack OIDs

  Hello support community,
  Im looking for snmp oids for scan and syn attack, im trying to build a graph with cacti that would represent a historical with DOS and scan attacks. I have looked MIB and i dont see anything jumping at me about these OIDs. Can you please help me on finding these?
  Thanks,
  Delmiro

  I opened a casa with TAC, and they stated that these oids are not supported. I thought i would post my findings here incase anyone else was looking for them.