CSS wrongly reports SYN attacks

quickref · ‎02-27-2004

Hi all,

in our environment we have a CSS 11800 which is connected to 3 servers which are all running the same

services. Every night there is a log rotation and therefor the services are taken down one by one.

The CSS forwards traffic to the service even if it's down.

From the time the sevice is down i can see always a huge amount of SYN attacks reported in the traplog.

The reason for this is that the server sends a RST for every SYN request (which is normal as the port

is down).

We are running on SW version 5.00 build 63.

Can you tell me how long it takes until the CSS detects the service as down and if there is a newer release which maybe detects a RST as a valid response to a SYN and therefor doesn't report a SYN attack.

Gilles Dufour · ‎02-27-2004

I don't see why you do not shutdown the service manually during maintenance ?

Regarding how fast the CSS detect a service down it depends on the sort of keepalive you have configured.

If you are using icmp keepalive the CSS may still believe the service is active if it continues to respond to ping.

Again the fastest way for the CSS to detect a service down is to configure it be down.

No release will accept the RST.

This is your job to make sure the CSS does not forward traffic to a service down.

Gilles.

quickref · ‎02-27-2004

Thanks you very much.

That just verifies what i was telling my server guys already.