Dos attack seen on CSS while accessing application

Unanswered Question
Jun 28th, 2007
User Badges:

Hello All,

We are finding that connections made to a VIP on our CSS are being dropped from specific hosts as DOS SYN Attacks.


FLOWMGR-7: <013><010>DoS SYN attack: 192.168.2.11:4549->10.1.248.100:15000<013>

<010>synCnt: 3, initSeq: 1302645697

These hosts are accessing the VIP through a PIX firewall and the 2 checkpoint firewalls.

I can see that the connection is allowed through all the firewalls and eventuall

y dropped on the CSS.

The connection is made on port 443 to the VIP initially and thereafter the client is directed to port 15000 on the webserver. This connection n 15000 is made through the CSS> It works for clients inside the PIX and those outside the PIX. But the affected users connect into the PIX firewall on a site-site VPN and for them the conenctions are being dropped.

Please update me your comments on this at the earliest.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Thu, 06/28/2007 - 10:47
User Badges:
  • Cisco Employee,

if the CSS flags the connection as dos attack, this is because the SYN/ACK was not seen by the CSS.

Verify that the path from client to server and server to client go through the CSS.


Gilles.

Actions

This Discussion