Hi,

Just noticed from my trace, that client is using the same source port as a previous connection and the servers 2msl timer hasn't exceeded.

Is the 16 seconds the correct value

Cheers

yes, 16 seconds is correct.

G.

Thanks,

So if the server doesn't send a syn/ack within 16 seconds, the CSS drops the flow. Is this time configurable ?

Cheers

the CSS wants to see a complete 3-way handshake within the 16sec or it considers this connection a dos attack.

As mentioned earlier, this feature is totally not configurable.

You can't disable it or modify any parameters including the time.

Gilles.

Hi Gilles

Thanks for the info, Apologies for more questions. From my trace I see 5 SYN packets with a source port that should be in the time_wait state. I presume the dos feature should kick in 16 seconds after the first SYN is recived but Im not seeing the RST originate from the CSS until 3 minutes. Any clues to why ?

Client > Server

00:03:35 SYN >

00:03:35 ACK <

00:03:41 SYN >

00:03:41 ACK <

00:03:47 SYN >

00:03:47 ACK <

00:03:59 SYN >

00:03:59 ACK <

00:04:23 SYN >

00:04:23 ACK >

00:06:24 RST >

Thanks in advance

was the trace captured on the server side or the client side ?

If you do a 'show dos' do you see this connection counted as a dos attack or not ?

Since the server responds with an ACK to the SYN, the CSS could have the connection in the established state as well and the RST is coming from the client giving up the connection.

Gilles.

Gilles,

I haven't got access to the CSS at the moment, I will try and gain access and have a look. The trace is taken from the server side of the CSS, The client doesn't send the RST as the TTL is 127 which indicates it originated from the CSS. I do not see any SYN/ACKS being returned from the server only ACKS as the server believes this is still an active session.