06-28-2007 04:40 AM
Hello All,
We are finding that connections made to a VIP on our CSS are being dropped from specific hosts as DOS SYN Attacks.
FLOWMGR-7: <013><010>DoS SYN attack: 192.168.2.11:4549->10.1.248.100:15000<013>
<010>synCnt: 3, initSeq: 1302645697
These hosts are accessing the VIP through a PIX firewall and the 2 checkpoint firewalls.
I can see that the connection is allowed through all the firewalls and eventuall
y dropped on the CSS.
The connection is made on port 443 to the VIP initially and thereafter the client is directed to port 15000 on the webserver. This connection n 15000 is made through the CSS> It works for clients inside the PIX and those outside the PIX. But the affected users connect into the PIX firewall on a site-site VPN and for them the conenctions are being dropped.
Please update me your comments on this at the earliest.
06-28-2007 06:49 AM
Hello Giles,
Can you please reply to my query.
06-28-2007 10:47 AM
if the CSS flags the connection as dos attack, this is because the SYN/ACK was not seen by the CSS.
Verify that the path from client to server and server to client go through the CSS.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide