cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
0
Helpful
5
Replies

CSS false syn attack behavior

liorcohen
Level 1
Level 1

Hi all,

We are having an issue with our CSS11501,version sg0810106.

our web app is using alot of web requests (up to one every 15 seconds )

for some reason occasionally our session is being dropped, and we can't connect for few minutes.

i just found out that the source ip address of the client is showed as a source for "syn attack" when i issue "show dos".

does the CSS block my legitimate traffic as suspected syn attack?

if so how can i work around it?

why does it pick it as syn attack how can i improve its false detection?

Can anyone help me with this?

thanks,

Lior

1 Accepted Solution

Accepted Solutions

It will reset the connection after 16 seconds.

No blocking of further syn.

The document you referenced is old.

The behavior has changed a long time ago.

Check the destination. See if it gets the SYN and why it does not respond.

Gilles.

View solution in original post

5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

Lior,

the CSS doesn't block anything.

It just detects like you that the server fails to connect and assume this might be a syn-attack since the 3-way handshake did not complete.

Get a sniffer trace and find out why the destination is not responding.

Gilles.

are you sure that it only detects and doesn't do any action?

because this says something else...

http://www.cisco.com/warp/public/cc/pd/si/11000/prodlit/cswsc_wi.htm

this is really strange...

It will reset the connection after 16 seconds.

No blocking of further syn.

The document you referenced is old.

The behavior has changed a long time ago.

Check the destination. See if it gets the SYN and why it does not respond.

Gilles.

Thanks Gilles,

Indeed the CSS doesn't block anything (I wish it would have been more explicit in the documents, except writing that the dos feature cannot be disabled).

However It was a problem that caused by the CSS and I write this here just in case someone else will encounter the same.

I use CSS for many years now, but this is the first time that i used it on a very connection intensive application and in such an envirounment, and this is why the issue became a visible problem.

CSS and ASA was connected on the same network, with the CSS interface configured as a default gateway on the hosts.

However the CSS sends ICMP redirects packets to the hosts injecting a "better" route to different external IP addresses using the ASA interface IP address. That cause connections from different IP addresses to be blocked for a period of 10 minutes (default time that an ICMP redirect injected route will stay in the routing table of windows server2003) because the routing table on the host has a "better" route which is not the CSS's interface.

Together with the fact that I was using sticky session content rule based on sticky-srcip, that caused an outage for 10 minutes for different IP addresses on a regular basis.

I have sorted it out by disabling icmp Redirect on the windows hosts registry:

"\\HKLM\system\CurrentControlSet\Services\Tcpip\Parameters\"

change EnableICMPRedirect to "0" by default its "1"

reboot the hosts, and you will see an immediate drop in syn attack indications on the CSS, hinting that the problem has been solved.

I read somewhere that there's an option to disable ICMP redirect packets from the CSS as well, but the other trick did that for me.

Thanks again gilles for your enlightment

Regards,

Lior

Thanks for the update.

I'm glad you could sort this out.

Gilles.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: