cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1097
Views
5
Helpful
6
Replies

SYN flood attack log In CSA MC

akumaresan
Level 1
Level 1

I got an SYN flood attack log in CSA MC

CSA log: TESTMODE: A potential SYN Flood attack has been detected. This may also indicate a possible routing problem. Reason: The TCP Listen Queue is full using interface Wired\HP NC7781 Gigabit Server Adapter #2. TCP: CSA MC IP/5401->local Instance IP/4418, flags 0x12. The operation would have been denied.

(Note: In log I have specified CSA MC IP and local Instance IP instead of its IP address)

I understood that SYN flooding is a type of denial of service attack and this alert has occured when a TCP/IP connection was requested by MC to the Instance. It has resulted in a half open connection, as the return address that is not in use. MC has detected it and it got denied.

Please let me know what action I have to take at tins point?

Thanks

Arumugam.K

6 Replies 6

didyap
Level 6
Level 6

If you are not getting any such attack logs again this means that this was a false alarm caused because of some genuine application. Although it is better to have protection against such attacks. Following link may help you

http://www.cisco.com/en/US/docs/security/csa/csa45/user_guide/AppexB.html

chickman
Level 1
Level 1

Arumugam,

We've been having similar issue regarding SYN flood alerts. The affected system in turn starts to send additional ACK requests. This results in issues with the IIS functionality on that server. Clients begin to no longer have the ability to access the site hosted on the server. We've been battling between Cisco and Microsoft on this one. The issue appears to have started around Patch Tuesday in February.

My question to you is this: Have you noticed any latency with the system that is reporting the SYN flood? I'm curious if the problem is local to us, or possibly wide spread.

Has anyone else noted the following alert?

"A potential SYN Flood attack is currently in progress. 1 unresponsive connection attempts have been detected since the last notification. Source addresses included X.X.X.X. Ports included TCP/XXX.

I've not been able to associate this issue with anything on the system. It appears to be a CSA bug, but unsure if we're the only ones seeing it. Please advise!

Thank you,

Christopher

Just to put this out there, but it turns out that CSA 5.2 has a low threshold for syn floods. We got a bug ID of CSCsq07997. This WILL cause service interruptions if your end clients/connections are behind a low end pix.

I experienced the exact situation. My only choice at the time was to disable the netshim for that host in the registry.

akumaresan
Level 1
Level 1

Yes, I got this event fron an internal IP. So I dont feel its malicious alert.

Great and thanks a lot to everyone for giving a good solution.

Regards

Arumugam.K

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: