CSS DoS

b.petronio · ‎03-24-2008

Hi all,

My CSS has been denying some connections between Internet and Web-Servers, indicating Illegal Src Attacks and SYN Attacks.

I already know that DoS, is not changeable, and the CSS waits for a ACK to complete the TCP 3-Way Handshake, and after that sends a TCP RST, to both sides.

The CSS is making SSL Termination for internet users and following on port 7778 for Oracle WebCache. After that, the Application Server requests for DataBase server and sends back to the Application Server/WebCache.

My question is why the CSS accepts connections for 1 source ip, and not for another ?

Is there any workaround for this type of situation ?

Anyone have been pass for this type of situation ?

Check out this one:

DOS Attack Event 2:

First Attack: 24/03/2008 16:20:00

Last Attack: 24/03/2008 16:20:08

Source Address: 62.48.x.78 Destination Address: 10.1.2.135

Event Type: SYN Attack Total Attacks: 2

CSS# show flows | grep 62.48.x.78

10.1.1.120 7778 62.48.x.78 28849 62.48.x.78 TCP e9 SSL-2

62.48.x.78 34646 10.1.2.135 443 10.1.2.135 TCP e1 SSL-2

62.48.x.78 34646 10.1.2.135 80 10.1.1.120 TCP SSL-2 e9

CSS# show dos summary

Denial of Service Attack Summary:

Total Attacks: 3749

SYN Attacks: 165 Maximum per second: 6

LAND Attacks: 0 Maximum per second: 0

Zero Port Attacks: 0 Maximum per second: 0

Illegal Src Attacks: 3,584 Maximum per second: 12

Illegal Dst Attacks: 0 Maximum per second: 0

Smurf Attacks: 0 Maximum per second: 0

Last Clearing of Stats Counter: 24/03/2008 16:20:25

First Attack Detected: 24/03/2008 16:25:33

Last Attack Detected: 24/03/2008 16:25:33

CSS#

Best Regards,

PetrÃ³nio

Gilles Dufour · ‎03-25-2008

Usually this is an indication of asymetric routing.

Somehow, one server is sending the SYN/ACK directly to the source without going through the CSS.

Get a sniffer trae front-end and back-end and should see this.

Gilles.