SNMP - Scan and Syn Attack OIDs

Similar Messages

• How to report possible Port scanning and DOS/Fraggle Attack??

  I have been experiencing lag while surfing the internet. One temporary solution was to get a new IP from VZ but this fix was short lived. So I became curios and dtarted to log connection attempts to my router and noticed what I saw resembled port scans and even a Fraggle/DOS attack at times. I am posting my routers log below and would like to kno how to go about reporting this abuse and what I see as malicious activity?
  Mar 29 00:34:16.843: %SEC-6-IPACCESSLOGP: list 115 denied tcp 112.216.99.210(60289) -> .(443), 1 packet
  Mar 29 02:09:24.956: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(44315) -> .(80), 1 packet
  Mar 29 02:14:54.973: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(44315) -> .(80), 4 packets
  Mar 29 04:46:18.559: %SEC-6-IPACCESSLOGP: list 115 denied tcp 123.125.67.205(60157) -> .(80), 1 packet
  Mar 29 04:51:54.975: %SEC-6-IPACCESSLOGP: list 115 denied tcp 123.125.67.205(60157) -> .(80), 1 packet
  Mar 29 08:37:38.717: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(49683) -> .(80), 1 packet
  Mar 29 08:42:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(49683) -> .(80), 4 packets
  Mar 29 11:58:37.525: %SEC-6-IPACCESSLOGP: list 115 denied tcp 69.162.74.105(4529) -> .(80), 1 packet
  Mar 29 12:00:33.395: %SEC-6-IPACCESSLOGP: list 115 denied tcp 209.216.8.220(8615) -> .(443), 1 packet
  Mar 29 12:03:55.001: %SEC-6-IPACCESSLOGP: list 115 denied tcp 69.162.74.105(4529) -> .(80), 1 packet
  Mar 29 15:09:06.512: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(39516) -> (80), 1 packet
  Mar 29 15:14:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.68.67(39516) -> (80), 4 packets
  Mar 29 20:06:44.831: %SEC-6-IPACCESSLOGP: list 115 denied tcp 190.30.227.242(45712) -> .(80), 1 packet
  Mar 29 23:42:44.255: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(58914) -> .(80), 1 packet
  Mar 29 23:47:54.968: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(58914) -> .(80), 2 packets
  Mar 30 01:19:56.075: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48356) -> .(80), 1 packet
  Mar 30 01:25:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48356) -> .(80), 2 packets
  Mar 30 01:51:48.109: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(32276) -> .(80), 1 packet
  Mar 30 01:56:54.968: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(32276) -> .(80), 2 packets
  Mar 30 02:15:11.578: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48235) -> .(80), 1 packet
  Mar 30 02:20:54.969: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48235) -> .(80), 2 packets
  Mar 30 02:49:55.370: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(65092) -> .(80), 1 packet
  Mar 30 02:55:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(65092) -> .(80), 2 packets
  Mar 30 03:05:05.854: %SEC-6-IPACCESSLOGP: list 115 denied tcp 59.178.47.229(3152) -> .(23), 1 packet
  Mar 30 03:10:54.971: %SEC-6-IPACCESSLOGP: list 115 denied tcp 59.178.47.229(3152) -> .(23), 1 packet
  Mar 30 03:19:07.806: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(28767) -> .(80), 1 packet
  Mar 30 03:24:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(28767) -> .(80), 2 packets
  Mar 30 03:43:44.223: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(22501) -> (80), 1 packet
  Mar 30 03:48:54.968: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(22501) -> (80), 2 packets
  Mar 30 04:11:31.035: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(47011) -> .(80), 1 packet
  Mar 30 04:16:54.970: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(47011) -> .(80), 2 packets
  Mar 30 04:42:01.195: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(56753) -> .(80), 1 packet
  Mar 30 04:47:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(56753) -> .(80), 2 packets
  Mar 30 05:11:34.130: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35301) -> .(80), 1 packet
  Mar 30 05:16:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35301) -> .(80), 2 packets
  Mar 30 05:41:22.621: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(33024) -> .(80), 1 packet
  Mar 30 05:46:54.970: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(33024) -> .(80), 2 packets
  Mar 30 06:08:02.091: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54807) -> .(80), 1 packet
  Mar 30 06:13:54.970: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54807) -> .(80), 2 packets
  Mar 30 06:34:59.547: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(29217) -> .(80), 1 packet
  Mar 30 06:40:54.969: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(29217) -> .(80), 2 packets
  Mar 30 07:03:04.100: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54153) -> .(80), 1 packet
  Mar 30 07:08:54.967: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(54153) -> .(80), 2 packets
  Mar 30 07:31:13.494: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17308) -> .(80), 1 packet
  Mar 30 07:36:54.969: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17308) -> .(80), 2 packets
  Mar 30 08:02:27.161: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48707) -> .(80), 1 packet
  Mar 30 08:07:54.966: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(48707) -> .(80), 2 packets
  Mar 30 08:33:47.283: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(28540) -> .(80), 1 packet
  Mar 30 20:04:23.585: %SEC-6-IPACCESSLOGP: list 115 denied tcp 115.89.213.165(22702) -> .4(22), 1 packet
  Mar 30 20:21:10.696: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35592) -> .(80), 1 packet
  Mar 30 20:26:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(35592) -> .(80), 2 packets
  Mar 30 20:52:52.313: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(25460) -> .(80), 1 packet
  Mar 30 20:57:54.965: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(25460) -> .(80), 2 packets
  Mar 30 21:30:11.984: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17145) -> .(80), 1 packet
  Mar 30 21:35:54.963: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(17145) -> .(80), 2 packets
  Mar 30 21:43:27.829: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/1: the fragment table has reached its maximum threshold 16
  Mar 30 21:43:27.889: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.200 -> . (0/0), 1 packet
  Mar 30 21:48:54.965: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.213 -> (0/0), 1 packet
  Mar 30 21:48:54.965: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.214 -> (0/0), 1 packet
  Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.201 -> (0/0), 1 packet
  Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.203 -> (0/0), 1 packet
  Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.202 -> (0/0), 1 packet
  Mar 30 21:48:54.969: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.204 -> . (0/0), 1 packet
  Mar 30 21:48:54.973: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.205 -> (0/0), 1 packet
  Mar 30 21:48:54.973: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.206 -> (0/0), 1 packet
  Mar 30 21:48:54.973: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.210 -> . (0/0), 1 packet
  Mar 30 21:48:54.977: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.211 -> (0/0), 1 packet
  Mar 30 22:01:32.255: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(30967) -> .(80), 1 packet
  Mar 30 22:06:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(30967) -> .(80), 2 packets
  Mar 30 22:10:18.301: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(31796) -> .(80), 1 packet
  Mar 30 22:15:54.965: %SEC-6-IPACCESSLOGP: list 115 denied tcp 65.52.110.34(31796) -> .(80), 2 packets
  Mar 30 23:03:12.464: %SEC-6-IPACCESSLOGP: list 115 denied tcp 88.208.220.10(55906) -> .(21), 1 packet
  Mar 30 23:08:54.966: %SEC-6-IPACCESSLOGP: list 115 denied tcp 88.208.220.10(55906) -> .(21), 1 packet
  Mar 31 00:41:30.769: %SEC-6-IPACCESSLOGP: list 115 denied tcp 115.89.213.165(35443) -> .(22), 1 packet
  Mar 31 03:00:11.425: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(58521) -> .(80), 1 packet
  Mar 31 03:00:12.527: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(42339) -> .(23), 1 packet
  Mar 31 03:05:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(41726) -> .(23), 1 packet
  Mar 31 03:05:54.964: %SEC-6-IPACCESSLOGP: list 115 denied tcp 128.59.14.102(59178) -> .(80), 1 packet
  Mar 31 03:46:26.767: %SEC-6-IPACCESSLOGP: list 115 denied tcp 184.154.4.85(58071) -> .(80), 1 packet
  Mar 31 04:12:08.935: %SEC-6-IPACCESSLOGP: list 115 denied tcp 109.104.74.10(51151) -> .(22), 1 packet
  Mar 31 12:10:19.683: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(51886) -> .(80), 1 packet
  Mar 31 12:15:54.960: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(51886) -> .(80), 4 packets
  Mar 31 14:23:34.316: %SEC-6-IPACCESSLOGP: list 115 denied tcp 94.251.160.199(32941) -> .(443), 1 packet
  Mar 31 14:28:54.962: %SEC-6-IPACCESSLOGP: list 115 denied tcp 94.251.160.199(32941) -> .(443), 1 packet
  Mar 31 20:37:34.630: %SEC-6-IPACCESSLOGP: list 115 denied tcp 208.100.1.174(39803) -> .(21), 1 packet
  Mar 31 20:40:49.542: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(53348) -> .(80), 1 packet
  Mar 31 20:45:54.958: %SEC-6-IPACCESSLOGP: list 115 denied tcp 66.249.72.53(53348) -> .(80), 4 packets
  Mar 31 21:18:03.788: %IP_VFR-4-FRAG_TABLE_OVERFLOW: FastEthernet0/1: the fragment table has reached its maximum threshold 16
  Mar 31 21:18:03.832: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.200 -> (0/0), 1 packet
  Mar 31 21:23:54.960: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 130.81.137.230 -> (0/0), 2 packets
  Mar 31 21:23:54.960: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.202 -> (0/0), 1 packet
  Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.201 -> (0/0), 1 packet
  Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.204 -> . (0/0), 1 packet
  Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.205 -> (0/0), 1 packet
  Mar 31 21:23:54.964: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.207 -> . (0/0), 1 packet
  Mar 31 21:23:54.968: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.208 -> . (0/0), 1 packet
  Mar 31 21:23:54.968: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.206 -> . (0/0), 1 packet
  Mar 31 21:23:54.968: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.210 -> . (0/0), 1 packet
  Mar 31 21:23:54.972: %SEC-6-IPACCESSLOGDP: list 115 denied icmp 98.117.72.203 -> (0/0), 1 packet
  Mar 31 21:57:25.351: %SEC-6-IPACCESSLOGP: list 115 denied tcp 115.89.213.165(59472) -> .(22), 1 packet
  Mar 31 22:00:45.852: %SEC-6-IPACCESSLOGP: list 115 denied tcp 87.234.32.189(49412) -> .(25), 1 packet
  Mar 31 22:05:54.959: %SEC-6-IPACCESSLOGP: list 115 denied tcp 87.234.32.189(49412) -> .(25), 1 packet

  You're getting hit from IPs from everywhere, so there's no true person to ask in regards to this. Whoever had your IP last was probably up to no good, or it's possible for some reason your IP was targeted. Might also be possible that whoever had your IP last was running servers. My Dedicated server gets hit with this nonsense all the time. Sometimes it's an issue with someone trying to DoS one of the game servers I run on it. Causes lag for only a few seconds before the hardware firewall in front of the server kicks in and handles the rest. China I actually wound up blocking access to entirely for a month or two since I've hardly seen anything that wasn't a port scan or an SSH/FTP hacking attempt.
  A few of those IPs are owned by Google and Microsoft, which implies there was probably an HTTP server at one point running on the IP you're using now.
  ========
  The first to bring me 1Gbps Fiber for $30/m wins!

• Forefront TMG detected a possible SYN attack and will protect the network accordingly

  Hi ,  Some times here internet is not working for using through TMG 2010. but Local Host Internet is working. then it should restart the 
  Microsoft Forefront TMG Control with related Services. then again users can access the Internet  through TMG.
  I check the Event Viewer in Server. it shows below Error Log.
  Forefront TMG detected a possible SYN attack and will protect the network accordingly
  what should for this ?
  Regards, COMDINI

  Hello,
  An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server and not completing the TCP handshake, leaving the TCP connections half-open.
  Please enable logging to identified this hosts and then check if it is infected by viruses or malware programs.
  Please see the value of the number of Maximum half-open TCP connections in Flood Mitigation settings for more information.
  Once your problem is solved, you have to see "Forefront TMG is no longer experiencing a SYN attack." message.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Microsoft Student Partner 2010
  / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator:
  Security
  Microsoft Certified Systems Engineer:
  Security
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows 7, Configuring
  Microsoft Certified IT Professional: Enterprise
  Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• CSS 11050 SYN Attacks and auto-reboot

  Running software version 5.00 build 2 to load balance two web servers. The DOS log shows SYN attack activity--with one incident logging 62 "attacks". I read that if this value reaches a threshold, then the machine will reboot. Can someone tell me what the guidelines are for this? Are there any other events that can cause the switch to auto reboot? Thanks!

  First, you should definitely upgrade.
  5.0(2) is VERY VERY OLD.
  Next, a box never reload by itself on purpose or because it reached a certain threshold.
  If there is an auto-reboot, this means the box crash and this is not normal.
  Gilles.

• ASA5505, SYN attack, ISP and IPS module

  Our 5505 is currently being hit by a SYN attack from surprise, surprise, China.  The attack easily brings down the 5505 by hitting the 10,000 connection limit of the box.  I am currently using the shun command to try to mitigate the problem but it is not much help.  It converts the 10,000 connections into 12-15k dropped packets per second which doesn't crash the box but pretty much makes it unusable. 
  I have seen some examples on using service policies to set connection and embryonic limits but I don't think they will work for me because the attacks come from several IPs and use several different ports.  The attacks don't seem to be pinpointing any particular server or service.  Seems like just basic DoS of our service.  Besides, the feedback from people who have tried this doesn't seem too convincing.
  So I have two questions:
  1) My ISP is unwilling and/or unable to do anything.  They suggest I email the abuse mailbox from the offending ISP.  Just for grins, I did send an email and it promptly came back marked "mailbox full" which is quite funny I thought.
  2) Will adding the IPS module help here?  I am hoping that the processing of the dropped packets would move to the module and leave the main processor of the ASA free to do its usual NAT and firewall functions.
  Any and all advice is welcome.
  Thanks,
  Diego

  Hi Diego,
  As Julio mentioned, info has to be there. Do you have the 'show xlate' when the issue was seen? In such cases, along with xlate table, you can check connection for hosts making unusual number of connections (show connection count/show connection all). Here are few useful commands in such scenarios:
  show local-host connection udp 100-10000          << Gives host with total UDP connections b/w 100-1000
  show local-host connection tcp 100-10000          << Same info for hosts making TCP connections
  show local-host connection embryonic 100-10000    << hosts with 100-1000 embryonic connections
  Change the range as per need.
  Sourav

• Protected servers under syn attack!!

  The firewall dashboard has a window at the right lower portion of ASDM and it displays Top 10 protected servers under SYN attack.  Refer to the attached picture.
  In this scenario the server IP 82.214.154.223 seems to be getting SYN attacks from one of my internal network PC. This server 82.214.154.223 does not belong to us, a whois query tells me that the IP originates from Poland with no hostname address.
  I should have been seeing attacks only for servers belonging to my network right? Like an attack from Outside public IP towards my Server public IP, or is it that this feature provides two way statistics where it also displays attack originating from my lan towards outside world. From what I see, I feel it displays two way attacks. Correct me if I am wrong.
  Regards

  Hi,
  below is the output of the # sh threat-detection rate command. can anyone explain me the vulnerabilities and risks by looking at the figures below. thanks
                            Average(eps)    Current(eps) Trigger      Total events
    10-min ACL  drop:                  1               0       0               672
    1-hour ACL  drop:                  1               0       0              4654
    10-min SYN attck:                  0               0       0               386
    1-hour SYN attck:                  0               0       0              3428
    10-min  Scanning:                  2               1   55503              1248
    1-hour  Scanning:                  2               2   18455              9177
    10-min Bad  pkts:                  0               0       0               184
    1-hour Bad  pkts:                  0               0       0              1089
    10-min  Firewall:                  1               0       0               862
    1-hour  Firewall:                  1               1       0              5749
    10-min DoS attck:                  0               0       0                 6
    1-hour DoS attck:                  0               0       0                 6
    10-min Interface:                  1               0       0              1034
    1-hour Interface:                  1               1       0              6616
  regards,
  AAMIR

• What multifunction(all-in-one) printers work with Mac OS 10.9 and 10.8? - Printing, scanning and faxing!

  What multifunction (all-in-one) BW laserjet printers work with Mac OS 10.9 and 10.8? - Printing, scanning and faxing!
  I had a HP3052 whith a scaner message error 5 which can't print anymore. Anyway scanning with this HP is not supported anymore. So looking into the huge HP compatibility list on the web I see no good choice:
  http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/mostViewedDi splay?javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTo k=com.vignette.cachetoken&javax.portlet.prp_efb5c0793523e51970c8fa22b053ce01=wsr p-navigationalState%3DdocId%253Demr_na-c03800910-1%257CdocLocale%253Den_US&javax .portlet.tpst=efb5c0793523e51970c8fa22b053ce01&sp4ts.oid=25475&ac.admitted=13914 44156214.876444892.492883150
  The new HP LaserJet M127fn MFP  duplex is not even on this list...
  I prefer laser than ink printers (I hate buying cartridges every month or have the system stuck with dry ink when not used for a month).
  There are some good brother laserprinters, e.g. MFC7860DW, but PC-Fax doesn't work on Mac (I believe).
  Thanks to anybody with some good ideas.

  Thanks baltwo, but I am looking for a printer-copier-scanner-fax machine. I think I might go with the brother
  http://www.brother-usa.com/MFC/ModelDetail/4/MFC7860DW/Overview#.UvAHCf1LrfM
  mainly because more and more people seem to have bad experiences with HP printers in the $150-$300 range and manufactured in recent years;
  and forget about faxing...

• CSS false syn attack behavior

  Hi all,
  We are having an issue with our CSS11501,version sg0810106.
  our web app is using alot of web requests (up to one every 15 seconds )
  for some reason occasionally our session is being dropped, and we can't connect for few minutes.
  i just found out that the source ip address of the client is showed as a source for "syn attack" when i issue "show dos".
  does the CSS block my legitimate traffic as suspected syn attack?
  if so how can i work around it?
  why does it pick it as syn attack how can i improve its false detection?
  Can anyone help me with this?
  thanks,
  Lior

  Thanks Gilles,
  Indeed the CSS doesn't block anything (I wish it would have been more explicit in the documents, except writing that the dos feature cannot be disabled).
  However It was a problem that caused by the CSS and I write this here just in case someone else will encounter the same.
  I use CSS for many years now, but this is the first time that i used it on a very connection intensive application and in such an envirounment, and this is why the issue became a visible problem.
  CSS and ASA was connected on the same network, with the CSS interface configured as a default gateway on the hosts.
  However the CSS sends ICMP redirects packets to the hosts injecting a "better" route to different external IP addresses using the ASA interface IP address. That cause connections from different IP addresses to be blocked for a period of 10 minutes (default time that an ICMP redirect injected route will stay in the routing table of windows server2003) because the routing table on the host has a "better" route which is not the CSS's interface.
  Together with the fact that I was using sticky session content rule based on sticky-srcip, that caused an outage for 10 minutes for different IP addresses on a regular basis.
  I have sorted it out by disabling icmp Redirect on the windows hosts registry:
  "\\HKLM\system\CurrentControlSet\Services\Tcpip\Parameters\"
  change EnableICMPRedirect to "0" by default its "1"
  reboot the hosts, and you will see an immediate drop in syn attack indications on the CSS, hinting that the problem has been solved.
  I read somewhere that there's an option to disable ICMP redirect packets from the CSS as well, but the other trick did that for me.
  Thanks again gilles for your enlightment
  Regards,
  Lior

• Duplicate SYN attacks from Outside to Outside

  Hi Everyone,
  We have an FTP server that sits in our DMZ.  This Server has a DMZ interface and an external interface.  When trying to access the server from the internet on its external address i am getting alot of Duplicate SYN attacks.  They seem to be coming all from the same source and port to the same destination and port.
  As part of the testing i first took out any references to the FTP server in my Access rules on the ASA.  I then tried to FTP to the server from an outside internet connection and as expected get the following in the log:
  4
  Mar 01 2013
  10:23:18
  194.80.130.xx
  46867
  78.24.112.XX
  21
  Deny tcp src outside:194.80.130.XX/46867 dst outside:78.24.112.XX/21 by access-group "outside_access_in" [0x0, 0x0]
  I then highlighted this entry and created an access rule for it (but changed the source port to any rather than a specific one).  When i then try and FTP to the server i get lots of SYN attacks which says the following:
  4
  Mar 01 2013
  10:27:29
  194.80.130.XX
  46973
  78.24.112.XX
  21
  Duplicate TCP SYN from outside:194.80.130.XX/46973 to outside:78.24.112.XX/21 with different initial sequence number
  I am not sure why I am getting duplicate SYN attacks.  I have similar servers in the DMZ that do the same thing and they seem to be working fine.  I am pretty sure this is not actually a DOS attack.  I also have spoken to the team who manage the server and they have confirmed that the external IP is setup correctly on the server (its not that the external IP does not exist and just loops).
  There is also NAT'ing setup on the ASA that NATs the dmz IP to the external IP and vice versa.
  I have also noticed that whenever i create a new rule on the outside interface on my ASA it automatically adds the same descripton from another rule on the outside interface.  What does this mean?  Why could it be copying a description from anothe rule?
  Your advice would be much appreciated.

  Output from packet-tracer to outside address 78.24.112.xx 
  It seems as though the NAT to the DMZ address is just not working.  I have set a NAT rule up "before network object NAT" rule and also set a simple object NAT, but still getting the error.
  Phase: 1
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_in in interface outside
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any object csdpr1ft-ext
  object-group service DM_INLINE_SERVICE_7
  service-object tcp destination eq ssh
  service-object ip
  service-object tcp destination eq ftp
  Additional Information:
  Phase: 2
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 3
  Type: INSPECT
  Subtype: inspect-ftp
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect ftp
  service-policy global_policy global
  Additional Information:
  Phase: 4
  Type: FOVER
  Subtype: standby-update
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 26135657, packet dispatched to next module
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  Action: allow

• CSS wrongly reports SYN attacks

  Hi all,
  in our environment we have a CSS 11800 which is connected to 3 servers which are all running the same
  services. Every night there is a log rotation and therefor the services are taken down one by one.
  The CSS forwards traffic to the service even if it's down.
  From the time the sevice is down i can see always a huge amount of SYN attacks reported in the traplog.
  The reason for this is that the server sends a RST for every SYN request (which is normal as the port
  is down).
  We are running on SW version 5.00 build 63.
  Can you tell me how long it takes until the CSS detects the service as down and if there is a newer release which maybe detects a RST as a valid response to a SYN and therefor doesn't report a SYN attack.

  I don't see why you do not shutdown the service manually during maintenance ?
  Regarding how fast the CSS detect a service down it depends on the sort of keepalive you have configured.
  If you are using icmp keepalive the CSS may still believe the service is active if it continues to respond to ping.
  Again the fastest way for the CSS to detect a service down is to configure it be down.
  No release will accept the RST.
  This is your job to make sure the CSS does not forward traffic to a service down.
  Gilles.

• SNMP Traps and Monitoring UCS

  Hi Guys;
  During the implementation of UCS Blades I found a number of issues that have not been solved. I need to monitor the UCS solution through a NMS with traps and monitoring certain items. To do this I require deliver the MIBS to the Monitoring group and tell the OIDs to monitor certain things but I dont found especific documentation about this. I need to monitor things like the states of the fans, cpu, memory and connections.
  The solution consists of:
  Fabric Interconnects: 2 x 6140XP
  Chassis: 9 x 5108
  Servers: 70 x B230M2
  UCSM v1.4
  Although i need apply certain security to SNMP like ACL to secure the solution in the Customer Environment.

  Hello Orlando,
  UCS MIBs are available here for download
  ftp://ftp.cisco.com/pub/mibs/supportlists/ucs/
  MIB reference guide
  http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/mib/reference/UCS_MIBRef.html
  Padma

• SYN attack

  Hi All,
  I have router and inside interface is connected to firewall.
  Last week i had attack one of my internal server  and i also loosing connectivity to inside interface of the firewall.
  But today suddenly internet was down when checked link was up but i  also not able to ping to router inerface.
  When checked in firewall there was a log indicating SYN attack but source and destination ip was not mentioned.
  Can anybody suggest.

  Prevent the attack itself ?
  No
  Mitigate the impact on services ?
  to some extent yes. read the link below
  The agressor can always oversaturate your internetlink.
  It is just a numbers game, a SYN packet size is X your link has size Y and can traverse Z packets per second.
  Then the agressor just needs to send enough syn packets through to eat up the resources of Y or Z wichever comes first.
  However that is not the normal way of using syn attacks since there are faster ways to oversaturate the link.
  the normal way of using syn attacks is to steal resources away from the server that is under attack by not establishing a full tcp connection.
  This is mitigated in the firewall who sits inbetween the agressor and the server and answers the Syn packets and only lets through the ones that are legit.
  http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html
  Good luck
  HTH

• Windows Vista, Itunes 10.7, ipod Classic, scan and fix message - why?

  I am trying to connect my wife's Ipod Classic to our Windows Vista computer.  I get a Scan and Fix Message for the Ipod from Windows.  I don't let it scan and click continue.  Itunes is frozen and won't recognize the ipod.  This has happened since upgrading to Itunes 10.7.  Also Itunes is choppy in playing all video content since upgrading to Itunes 10.7.
  I have checked system requirements and driver upgrades.  So far I have no fix.  One site recommended turning off WiFi sync for all devices in Itunes.  But of course the device must be connected, and mine won't connect.  All my itunes video is languishing.  :-(

  Wi-Fi sync won't apply since you have an iPod Classic and it doesn't contain any Wi-Fi hardware.
  To get rid of the Scan and Fix error, see this page: http://www.yourlocaltech.com/resolve-vista-scan-and-fix-error-when-plugging-in-i pod-or-other-devices/
  We'll start there for now.
  B-rock

• Failed Hardware Scan and other issues E440

  Hi all,
  This is probably more rant than anything, but I wanted to give a heads up to others too.
  I have a ThinkPad E440 that is a year old. From the very first time I turned it on, there have been issues. The first hardware scan (via Lenovo Solution Center - LSC) showed a warning for the Intel Dual Band Wireless-AC 7260 Local Connection Test. There were also tons of System Events that always show up in the "Configuration History" part of the LSC. You can look at the calendar and tell exactly which days I used the computer because there will be System Events generated each day. Things like app crashes and failed drivers.
  In July 2014, I got the first warning for the 16 GB SSD - the SMART Short Self-Test. By February this year it showed as failed for each hardware scan (these were initially set up to run monthly).
  Also the whole time I've had it the touch screen would just stop working at some point and I would have to reboot to get it working again.
  I finally called Lenovo on March 30th, before my warranty expired. When I called that time, I didn't realize the hard drive failure was the SSD. So they sent me a new 500 GB drive. I also added the other things into the case when I talked to them. For the wireless issue they suggested making sure the driver was up to date. I did this and let them know when I called back that it was up to date and still having the warning. So I called them to tell them to tell them about the wireless and also that I realized it was the SSD having the failure, not the main drive. The first case had already been closed even though none of the other items were addressed.
  So they opened another case (this is #2). They said to mail them the laptop since the wireless issue would probably be on the board and it wasn't something I could fix myself. They sent a box with a prepaid overnight shipping label. I was very sick for a few days so I sent it back to them on April 10th (a Friday). Via UPS I saw it was delivered on Saturday. Work was performed on it Monday, April 13th and sent back to me that very day. I received it on April 14th. This part of the service has been excellent - very fast response.
  Being in IT, I included a letter with the laptop that outlined the issues that should have been in the case. I also printed the hardware scans and what the system events looked like.
  When I got the laptop back, the sheet inside said they had replaced the Speaker because of Distorted Sound. This was not even on the list even though I had noticed it. I didn't even power up the laptop before calling them again - yes, I was furious! Plus our power was out...
  So this was noon on the 14th. They opened case #3 and sent me ANOTHER BOX so I could send it back.
  After our power came back on the 15th, I powered up my laptop. I opened the browser (I have it set to restore the previous session) and there was a sexually explicit video on YouTube. I opened the other browser and there was a different video on YouTube. So this person was watching YouTube instead of fixing my laptop. I looked through both browser histories and there was quite a bit of activity while my laptop was at the repair center... I ran the hardware scan - still failed and a warning for the wireless. They really hadn't done anything.
  I also found two pictures of the repair person in the recycle bin...
  So I called back. I was LIVID! They opened another case (this is #4). And sent me ANOTHER BOX. I finally learned the other day that once a case is opened, it cannot be edited or added to at all. Instead, they close the other case and open a new one. I guess their turnaround time for closing cases is excellent! I've never seen a system like that - and I've used a lot of them.
  I got a really nice, patient fellow on the line. He took all my info (again). I emailed him the pictures, screen captures of the YouTube videos, the letter I had sent - everything. He entered as much into the new case as he could - he talked to one of the supervisors to make sure he did it right. Somehow he flagged it so that the laptop would get more attention (time) at the repair facility. He also opened a separate case (an escalation ticket?) for a supervisor to call me regarding the person's conduct at the repair facility. He said they would call me that day. (It's now the 25th and I've never heard from anyone)
  So, he sent me ANOTHER BOX. I've built up quite a stack of them.
  Our power was out AGAIN from the 17th through the 19th (don't get me started).
  I noticed a hardware scan had now gotten a failure on the main hard drive. So I called them on the 21st to add this to the case before sending the laptop back. The girl said they can't add anything to an existing case or edit it at all once it's opened. She would have to open a new case and SEND ME ANOTHER BOX. I told her to forget it because I was ready to send it in and didn't want to wait for another box. I also asked for a status on that "escalation case" where the supervisor was supposed to call me. In order to do this she, yes, wait for it, had to open ANOTHER CASE!! So they would know I wanted a status. I'm completely dumbfounded.
  So I sent it back on the 21st. This time I practically wiped it. I had already removed all my files the last time, but I had left my bookmarks and browser history intact.  I set up a guest logon with admin privileges. I updated my letter and printed off more stuff to include with the box. On one sheet I had only the case number, the serial number and machine type. On another sheet I had "DO NOT SEPARATE THIS PAPERWORK FROM THE LAPTOP" and the case number. I put this sheet on top (The guy on the 15th said my letter and stuff may have gotten separated from the laptop once it was delivered to the repair facility). I used a ton of staples so it would all stay together. I included in my letter the failure on the main hard drive and asked if they could look at it. I wrote about having to open a new case if I wanted to include it.
  They received it on the 22nd. A nice gentleman from the repair facility called me that day asking about the password. that. was. written. on the sheet they have you fill out. I told him what happened last time and also mentioned the hard drive failure and asked if he could look into it. He said they would.
  I received my laptop back yesterday morning.The sheet that came with it said they had "replaced the following parts to complete the repair of your laptop."
  Part Description                                           Symptom
  IMAGE                                                             Replaced due to engineering change
  System board                                                 Network card error
  Hard disk drive                                                Network card error
  ECA-WIRELESS                                            <no symptom listed>
  There was also a sheet saying they had installed a factory preload of software and I needed to install Lenovo and Windows updates.
  When I booted it up, the first thing I noticed, in the lower right corner was:
  Windows 8.1
  SecureBoot isn’t configured correctly
  Build 9600
  I ran a hardware scan. Well, I tried. It stopped part way through and said it finished successfully but most of the tasks showed up as cancelled. I tried to run it again - issues - rebooting ensued. It said the LSC wasn’t available and that I should try again or reboot.
  Tried several times. Then got what I guess is the new BSOD - kinder, gentler:
  Your PC ran into a problem and needs to restart. We're just
  collecting some error info, and then we'll restart for you. (xx% complete)
  If you'd like to know more, you can search online later for this error: DRIVER_CORRUPTED_EXPOOL
  Even though the LSC said my Lenovo files were all up to date, I ran the Update. And first I had to download a new version of Update. Then I downloaded all of the Lenovo updates and installed them (there were quite a few). The BIOS update failed. While I was doing the Lenovo downloads, I got a light blue screen but no text (I was out of the room so I'm not sure what happened). Did CTRL-ALT-DEL and it shows only IE and Task Manager as applications that are running. Could not “Switch to” IE. Hitting window key to go to start didn't do anything. So I had to restart.
  By 3pm yesterday there were 34 system events in the configuration history.
  I ran the hardware scan again after I updated the Lenovo files, and you guessed it! Failure on the SSD (SMART Short Self-Test) and warning on the wireless. Nothing had changed. Except hardware scan is acting different than it did before I sent in the laptop for repairs. When it finishes, it instantly closes and just shows 100% complete. When I click on "see last results" it shows a screen called
  Log Information,
  Canceled 04/24/2015 n:nn pm 
  You have not done a hardware test on your computer
  And the calendar in LSC only shows the very first hardware scan I did on Friday. Even the hardware scan screen shows the date and time of the last scan. It also shows the error code. In order to see exactly what is failing, I have to sit there and watch it very closely and snap a picture of the screen as soon as the error (or warning) shows up.
  When I would try to run Windows update, it would hang up PC Settings. I couldn't even kill it using task manager because it didn't show up as a task. During this, I got a flag saying the firewall wasn't turned on. I tried to turn it on, but clicking on Turn on Windows Firewall didn't do anything. I tried to setup my Microsoft account but that just hung too.
  I ended up running Windows Update FOUR TIMES to get all the updates installed. Every time I ran it, it said "Done!" and I would run it again and more would show up. The last time was this morning.
  At some point, the error about SecureBoot went away.
  Then, I created a bootable BIOS update disk. Following the ReadMe instructions, I went through ThinkPad Setup and verified several values. Of note:
  Secure Boot was DISABLED. According to the ReadMe file, this should be ENABLED in Windows 8.1. I enabled it.
  Under Startup/Boot, according to the ReadMe that came with the BIOS update, UEFI/Legacy Boot is supposed to be set at UEFI Only for Windows 8.1. Mine was set to "Both". I changed it.
  In Startup, OS Optimized Defaults was DISABLED, even though it says right there (and in the BIOS update ReadMe) it should be ENABLED to meet Microsoft Windows 8 Certification Requirement.
  After these updates, I flashed the new BIOS.
  Then, I ran hardware scan again...
  Now I have TWO failures on the SSD: Random Seek Test and SMART Short Self-Test. Great.
  In the Event Viewer (that I recently discovered), it says my disk has a bad block. It just says The device, \Device\Harddisk\DR1, has a bad block. I assume this is the SSD...
  There are 867 events in the event viewer - Critical, Error, and Warning...
  Fifty-two of these are from October 7, 2013 - before my little laptop was a glimmer.
  The rest are from when Lenovo had it and yesterday and today.
  64 of them are the disk error.
  341 are from DeviceSetupManager. 65 of those are from failed driver installs. 69 are for not being able to establish a connection to the windows update service. 64 are from not being able to establish a connection to the Windows Metadata and Internet Services (WMIS).
  3 times it's rebooted without cleanly shutting down
  60 of them are from Service Control Manager and say The TDKLIB service failed to start due to the following error: The system cannot find the file specified.
  One of them says {Registry Hive Recovered} Registry hive (file): '\??\C:\Users\Default\NTUSER.DAT' was corrupted and it has been recovered. Some data might have been lost.
  16 are warnings that various processors in Group 0 are being limited by system firmware.
  12 say the certificate for local system with thumbprint <bunch of hex numbers> is about to expire or already expired.
  108 are warnings for failure to load the driver \Driver\WUDFRd for various devices
  16 are application errors
  One is for the computer rebooting from a "bug check"
  15 are for name resolutions timing out after none of the configured DNS servers responded.
  10 are for SecureBoot being disabled.
  14 for services terminating unexpectedly
  15 are for WLAN Extensibility Module has stopped
  61 are for applications not being able to be restarted because the application SID does not match Conductor SID
  12 are for activation of CLSID timing out waiting for the service wuauserv to stop
  So, I'll call them on Monday and open. a. new. case (#5?) - but really 7. And get A NEW BOX.
  I'll keep you updated!

  Hi amycdero and welcome to the HP Forum,
  I understand that you are having scanning and printing issues after upgrading to Mavericks OS X v10.9.1. I will try my best to help you resolve this issue.
  In this document for Mac OS X: Scanning Software Does Not Open or Stops Responding are steps the may help you with your scanning issue.
  This document for Fixing Ink Streaks, Faded Prints, and Other Common Print Quality Problems should help with the streaking printing issue.
  I hope this information is helpful. Please let me know.
  Thank you,
  I worked on behalf of HP.

• HP Scan and Capture Can't change the location that scanned documents go to

  I just upgraded to Windows 8.1.  I scanned a word document using HP Scan and Capture and the default location to save files is now "This PC".  I can see the folders under "This PC" and can save the document to one of the folders, but I can no longer browse to anything else.  If I click on This PC, I have the option to go to OneDrive, This PC or Network.  
  If I click on Network - I can type in \\mycomputer but it just let's me select a folder.  I'm trying to get to an external hard drive and I've tried typing \\external drive,  \\f, \\f:, \\f:\
  Anyone have any suggestions? I've gone to the preference section of HP Scan and Capture and when I select that I want to change the default location where I save the files, it puts me back to the This PC area.

  Hello mnmjackson, and welcome to the HP Forums.
  I see you are running into issues with your scans save location.  I would like to try and assist.
  I would recommend creating a new destination folder, and manually type out the full file path.
  Please let me know if you have any questions.  Thank you for posting on the HP Forums.
  Please click “Accept as Solution " if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the right to say “Thanks" for helping!
  Jamieson
  I work on behalf of HP
  "Remember, I'm pulling for you, we're all in this together!" - Red Green.