Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SYN flood attack log In CSA MC

I got an SYN flood attack log in CSA MC

CSA log: TESTMODE: A potential SYN Flood attack has been detected. This may also indicate a possible routing problem. Reason: The TCP Listen Queue is full using interface Wired\HP NC7781 Gigabit Server Adapter #2. TCP: CSA MC IP/5401->local Instance IP/4418, flags 0x12. The operation would have been denied.

(Note: In log I have specified CSA MC IP and local Instance IP instead of its IP address)

I understood that SYN flooding is a type of denial of service attack and this alert has occured when a TCP/IP connection was requested by MC to the Instance. It has resulted in a half open connection, as the return address that is not in use. MC has detected it and it got denied.

Please let me know what action I have to take at tins point?

Thanks

Arumugam.K

6 REPLIES
Silver

Re: SYN flood attack log In CSA MC

If you are not getting any such attack logs again this means that this was a false alarm caused because of some genuine application. Although it is better to have protection against such attacks. Following link may help you

http://www.cisco.com/en/US/docs/security/csa/csa45/user_guide/AppexB.html

New Member

Re: SYN flood attack log In CSA MC

Arumugam,

We've been having similar issue regarding SYN flood alerts. The affected system in turn starts to send additional ACK requests. This results in issues with the IIS functionality on that server. Clients begin to no longer have the ability to access the site hosted on the server. We've been battling between Cisco and Microsoft on this one. The issue appears to have started around Patch Tuesday in February.

My question to you is this: Have you noticed any latency with the system that is reporting the SYN flood? I'm curious if the problem is local to us, or possibly wide spread.

New Member

Re: SYN flood attack log In CSA MC

Has anyone else noted the following alert?

"A potential SYN Flood attack is currently in progress. 1 unresponsive connection attempts have been detected since the last notification. Source addresses included X.X.X.X. Ports included TCP/XXX.

I've not been able to associate this issue with anything on the system. It appears to be a CSA bug, but unsure if we're the only ones seeing it. Please advise!

Thank you,

Christopher

New Member

Re: SYN flood attack log In CSA MC

Just to put this out there, but it turns out that CSA 5.2 has a low threshold for syn floods. We got a bug ID of CSCsq07997. This WILL cause service interruptions if your end clients/connections are behind a low end pix.

New Member

Re: SYN flood attack log In CSA MC

I experienced the exact situation. My only choice at the time was to disable the netshim for that host in the registry.

New Member

Re: SYN flood attack log In CSA MC

Yes, I got this event fron an internal IP. So I dont feel its malicious alert.

Great and thanks a lot to everyone for giving a good solution.

Regards

Arumugam.K

320
Views
5
Helpful
6
Replies
CreatePlease to create content