Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
475
Views
0
Helpful
2
Replies

Dos attack seen on CSS while accessing application

syedanzar
Level 1
Level 1

‎06-28-2007 04:40 AM

Hello All,

We are finding that connections made to a VIP on our CSS are being dropped from specific hosts as DOS SYN Attacks.

FLOWMGR-7: <013><010>DoS SYN attack: 192.168.2.11:4549->10.1.248.100:15000<013>

<010>synCnt: 3, initSeq: 1302645697

These hosts are accessing the VIP through a PIX firewall and the 2 checkpoint firewalls.

I can see that the connection is allowed through all the firewalls and eventuall

y dropped on the CSS.

The connection is made on port 443 to the VIP initially and thereafter the client is directed to port 15000 on the webserver. This connection n 15000 is made through the CSS> It works for clients inside the PIX and those outside the PIX. But the affected users connect into the PIX firewall on a site-site VPN and for them the conenctions are being dropped.

Please update me your comments on this at the earliest.

Labels:
0 Helpful
2 Replies 2

syedanzar
Level 1
Level 1

‎06-28-2007 06:49 AM

Hello Giles,

Can you please reply to my query.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to syedanzar

‎06-28-2007 10:47 AM

if the CSS flags the connection as dos attack, this is because the SYN/ACK was not seen by the CSS.

Verify that the path from client to server and server to client go through the CSS.

Gilles.

0 Helpful
Customers Also Viewed These Support Documents