SYN flood attack log In CSA MC

Unanswered Question
Mar 13th, 2008
User Badges:

I got an SYN flood attack log in CSA MC


CSA log: TESTMODE: A potential SYN Flood attack has been detected. This may also indicate a possible routing problem. Reason: The TCP Listen Queue is full using interface Wired\HP NC7781 Gigabit Server Adapter #2. TCP: CSA MC IP/5401->local Instance IP/4418, flags 0x12. The operation would have been denied.


(Note: In log I have specified CSA MC IP and local Instance IP instead of its IP address)


I understood that SYN flooding is a type of denial of service attack and this alert has occured when a TCP/IP connection was requested by MC to the Instance. It has resulted in a half open connection, as the return address that is not in use. MC has detected it and it got denied.


Please let me know what action I have to take at tins point?


Thanks

Arumugam.K



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

Arumugam,


We've been having similar issue regarding SYN flood alerts. The affected system in turn starts to send additional ACK requests. This results in issues with the IIS functionality on that server. Clients begin to no longer have the ability to access the site hosted on the server. We've been battling between Cisco and Microsoft on this one. The issue appears to have started around Patch Tuesday in February.


My question to you is this: Have you noticed any latency with the system that is reporting the SYN flood? I'm curious if the problem is local to us, or possibly wide spread.

Has anyone else noted the following alert?


"A potential SYN Flood attack is currently in progress. 1 unresponsive connection attempts have been detected since the last notification. Source addresses included X.X.X.X. Ports included TCP/XXX.


I've not been able to associate this issue with anything on the system. It appears to be a CSA bug, but unsure if we're the only ones seeing it. Please advise!


Thank you,


Christopher

mcvosi Thu, 05/29/2008 - 08:11
User Badges:

I experienced the exact situation. My only choice at the time was to disable the netshim for that host in the registry.



akumaresan Tue, 05/27/2008 - 03:18
User Badges:

Yes, I got this event fron an internal IP. So I dont feel its malicious alert.


Great and thanks a lot to everyone for giving a good solution.


Regards

Arumugam.K

Actions

This Discussion