CSS false syn attack behavior

Answered Question
Oct 6th, 2008
User Badges:

Hi all,


We are having an issue with our CSS11501,version sg0810106.


our web app is using alot of web requests (up to one every 15 seconds )

for some reason occasionally our session is being dropped, and we can't connect for few minutes.

i just found out that the source ip address of the client is showed as a source for "syn attack" when i issue "show dos".


does the CSS block my legitimate traffic as suspected syn attack?


if so how can i work around it?

why does it pick it as syn attack how can i improve its false detection?


Can anyone help me with this?



thanks,

Lior

Correct Answer by Gilles Dufour about 8 years 7 months ago

It will reset the connection after 16 seconds.

No blocking of further syn.

The document you referenced is old.

The behavior has changed a long time ago.


Check the destination. See if it gets the SYN and why it does not respond.


Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Gilles Dufour Mon, 10/06/2008 - 04:38
User Badges:
  • Cisco Employee,

Lior,


the CSS doesn't block anything.

It just detects like you that the server fails to connect and assume this might be a syn-attack since the 3-way handshake did not complete.


Get a sniffer trace and find out why the destination is not responding.


Gilles.

Correct Answer
Gilles Dufour Mon, 10/06/2008 - 05:55
User Badges:
  • Cisco Employee,

It will reset the connection after 16 seconds.

No blocking of further syn.

The document you referenced is old.

The behavior has changed a long time ago.


Check the destination. See if it gets the SYN and why it does not respond.


Gilles.

liorcohen Sun, 10/12/2008 - 05:20
User Badges:

Thanks Gilles,


Indeed the CSS doesn't block anything (I wish it would have been more explicit in the documents, except writing that the dos feature cannot be disabled).


However It was a problem that caused by the CSS and I write this here just in case someone else will encounter the same.


I use CSS for many years now, but this is the first time that i used it on a very connection intensive application and in such an envirounment, and this is why the issue became a visible problem.


CSS and ASA was connected on the same network, with the CSS interface configured as a default gateway on the hosts.


However the CSS sends ICMP redirects packets to the hosts injecting a "better" route to different external IP addresses using the ASA interface IP address. That cause connections from different IP addresses to be blocked for a period of 10 minutes (default time that an ICMP redirect injected route will stay in the routing table of windows server2003) because the routing table on the host has a "better" route which is not the CSS's interface.


Together with the fact that I was using sticky session content rule based on sticky-srcip, that caused an outage for 10 minutes for different IP addresses on a regular basis.


I have sorted it out by disabling icmp Redirect on the windows hosts registry:

"\\HKLM\system\CurrentControlSet\Services\Tcpip\Parameters\"

change EnableICMPRedirect to "0" by default its "1"

reboot the hosts, and you will see an immediate drop in syn attack indications on the CSS, hinting that the problem has been solved.


I read somewhere that there's an option to disable ICMP redirect packets from the CSS as well, but the other trick did that for me.


Thanks again gilles for your enlightment


Regards,

Lior

Gilles Dufour Sun, 10/12/2008 - 08:10
User Badges:
  • Cisco Employee,

Thanks for the update.

I'm glad you could sort this out.


Gilles.

Actions

This Discussion