02-27-2004 12:53 AM
Hi all,
in our environment we have a CSS 11800 which is connected to 3 servers which are all running the same
services. Every night there is a log rotation and therefor the services are taken down one by one.
The CSS forwards traffic to the service even if it's down.
From the time the sevice is down i can see always a huge amount of SYN attacks reported in the traplog.
The reason for this is that the server sends a RST for every SYN request (which is normal as the port
is down).
We are running on SW version 5.00 build 63.
Can you tell me how long it takes until the CSS detects the service as down and if there is a newer release which maybe detects a RST as a valid response to a SYN and therefor doesn't report a SYN attack.
02-27-2004 02:50 AM
I don't see why you do not shutdown the service manually during maintenance ?
Regarding how fast the CSS detect a service down it depends on the sort of keepalive you have configured.
If you are using icmp keepalive the CSS may still believe the service is active if it continues to respond to ping.
Again the fastest way for the CSS to detect a service down is to configure it be down.
No release will accept the RST.
This is your job to make sure the CSS does not forward traffic to a service down.
Gilles.
02-27-2004 04:42 AM
Thanks you very much.
That just verifies what i was telling my server guys already.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: