01-16-2008 06:17 AM
Hi,
What is the value/time that a CSS resets a connection that is not fully established.
im seeing the following
Client >
CSS <
SYN >
ACK <
ACK <
ACK <
ACK <
ACK <
RST <
RST comes from the CSS
01-16-2008 06:53 AM
the DoS feature will kick and RST the connection after 16 seconds.
A 'show dos' will tell you if such a connection was detected.
This feature is not configurable.
Gilles.
01-16-2008 06:58 AM
Hi,
Just noticed from my trace, that client is using the same source port as a previous connection and the servers 2msl timer hasn't exceeded.
Is the 16 seconds the correct value
Cheers
01-16-2008 07:17 AM
yes, 16 seconds is correct.
G.
01-16-2008 07:51 AM
Thanks,
So if the server doesn't send a syn/ack within 16 seconds, the CSS drops the flow. Is this time configurable ?
Cheers
01-16-2008 08:14 AM
the CSS wants to see a complete 3-way handshake within the 16sec or it considers this connection a dos attack.
As mentioned earlier, this feature is totally not configurable.
You can't disable it or modify any parameters including the time.
Gilles.
01-17-2008 12:40 AM
Hi Gilles
Thanks for the info, Apologies for more questions. From my trace I see 5 SYN packets with a source port that should be in the time_wait state. I presume the dos feature should kick in 16 seconds after the first SYN is recived but Im not seeing the RST originate from the CSS until 3 minutes. Any clues to why ?
Client > Server
00:03:35 SYN >
00:03:35 ACK <
00:03:41 SYN >
00:03:41 ACK <
00:03:47 SYN >
00:03:47 ACK <
00:03:59 SYN >
00:03:59 ACK <
00:04:23 SYN >
00:04:23 ACK >
00:06:24 RST >
Thanks in advance
01-17-2008 01:05 AM
was the trace captured on the server side or the client side ?
If you do a 'show dos' do you see this connection counted as a dos attack or not ?
Since the server responds with an ACK to the SYN, the CSS could have the connection in the established state as well and the RST is coming from the client giving up the connection.
Gilles.
01-17-2008 01:16 AM
Gilles,
I haven't got access to the CSS at the moment, I will try and gain access and have a look. The trace is taken from the server side of the CSS, The client doesn't send the RST as the TTL is 127 which indicates it originated from the CSS. I do not see any SYN/ACKS being returned from the server only ACKS as the server believes this is still an active session.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide