Solved: CSS DoS illegal Src Attack

arnaud.chiaberge · ‎08-27-2007

Hi,

On my CSS 11506, logs are full of these kind of error messages:

"NETMAN-5: Enterprise:DOS Attack:Illegal Src -> 5 times". It also generates a trap every seconds, flooding our syslogd and trapd server.

The first information one would obviously require is which IP address, and on which interface, is causing this error message.

I had a look at the "sh dos" command and I can see the counter for "Illegal Src Attacks" increasing (quite logical), BUT then in the detailed events, I can't see any of these events, I only see few SYN Attacks detailed events.

So does anyone know where I can get the details for these "Illegal Src Attacks" events ?

Many Thanks for any help,

Regards,

Arno

Jose Garcia · ‎08-28-2007

Hi Arno,

As the log clearly says, this message appears due many packets that tries to get across the CSS with illegal source addresses, most of the times this are illegal broadcasts, the details about source and destination addresses should appear with the "show DoS" unless the SYN attacks are overriding the illegal src logs.

Try to clean the DoS counters (#zero dos statistics) and monitor the CSS for a while using the Show DoS, you should be able to get the details for the illegal src attack.

I have had experiences with this messages and in most of the cases this logs appear when one of two thing happens:

1- If there is any kind of loop where a broadcast packet emitted by the CSS arrive to the same CSS but on a different interface.

2-Some firewalls generate heartbeat packets addressed to 0.0.0.0, if this heart beat get to the CSS, it will be log as an attack. Due your case the logs appear very often you may consider looking for any firewall over there.

If you keep having issues finding the source of this attacks I will advise you to run some sniffer captures on the interfaces of the CSS and look for any strange broadcast or multicast packets.

Let me know if you have any other information we can use to find the source of this logs.

Regards.

Josega.

View solution in original post

Jose Garcia · ‎08-28-2007

Hi Arno,

As the log clearly says, this message appears due many packets that tries to get across the CSS with illegal source addresses, most of the times this are illegal broadcasts, the details about source and destination addresses should appear with the "show DoS" unless the SYN attacks are overriding the illegal src logs.

Try to clean the DoS counters (#zero dos statistics) and monitor the CSS for a while using the Show DoS, you should be able to get the details for the illegal src attack.

I have had experiences with this messages and in most of the cases this logs appear when one of two thing happens:

1- If there is any kind of loop where a broadcast packet emitted by the CSS arrive to the same CSS but on a different interface.

2-Some firewalls generate heartbeat packets addressed to 0.0.0.0, if this heart beat get to the CSS, it will be log as an attack. Due your case the logs appear very often you may consider looking for any firewall over there.

If you keep having issues finding the source of this attacks I will advise you to run some sniffer captures on the interfaces of the CSS and look for any strange broadcast or multicast packets.

Let me know if you have any other information we can use to find the source of this logs.

Regards.

Josega.

arnaud.chiaberge · ‎08-28-2007

Hi Josega,

VERY WELL SPOTTED !!

After reading your message, I investigated the traffic surounding my CSS, and I indeed have a firewall generating heartbeat packets with source IP address 0.0.0.0 and multicast dest MAC address. Usually our L2 switches in this environment have "permanent cam" addresses so that such multicast traffic does not hit devices that are not interested in it, BUT we forgot to configure one of them and that's it ! This heartbeat traffic hits every devices in this environment, including the CSS.

Many many thanks for your very valuable help.

michelegullia · ‎09-01-2010

Hi to all,

i desperate need your help.

I got a very similar problem with CSS.

Same DoS attack. (many Syn Attack visible in the "show dos" detailed command and many Src Attack but only in the counters)

The strange thing is that the ip address involved are unicast ip (not multicast).

I've not understand many things.

The first is , what's the reason why CSS see that 10.6.27.133 is an Illegal Src??? (It's in this case the .133 is the ip address of interface 6/9 of CSS)

OS Attack Event 1:

First Attack: 31/08/2010 22:52:24

Last Attack: 31/08/2010 22:52:34

Source Address: 10.6.27.133 Destination Address: 10.6.84.69

Event Type: Illegal Src Total Attacks: 3

Someone can help me to understand?

Below is the "show dos" with one event as an example

Total Attacks: 33170637

SYN Attacks: 14,843,912 Maximum per second: 284

LAND Attacks: 0 Maximum per second: 0

Zero Port Attacks: 0 Maximum per second: 0

Illegal Src Attacks: 18,325,982 Maximum per second: 224

Illegal Dst Attacks: 743 Maximum per second: 4

Smurf Attacks: 0 Maximum per second: 0

DOS Attack Event 12:

First Attack: 31/08/2010 22:18:34

Last Attack: 31/08/2010 22:31:26

Source Address: 10.6.67.167 Destination Address: 113.213.43.145

Where do you suggest to investigate??

Many thanks,

M.G.