Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

VCS-E: TCP: Possible SYN flooding on port 5061. Sending cookies.

Anyone noticed that message in the logs of your VCS-E as well?

Wonder if there is some generic stuff going on or of it was some DOS.

You can find them in the kernel log which is located in /mnt/harddisk/logs/kernel.

TCP: Possible SYN flooding on port 5061. Sending cookies.

net_ratelimit: 1 callbacks suppressed

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

TCP: Possible SYN flooding on port 5061. Sending cookies.

So sum up the days where it happens you can use this command when you are logged in as root:

cd /mnt/harddisk/log && grep -i "Possible SYN flooding"  kernel | tr -s " " " " |cut -f 1,2 -d\  |uniq -c

which in my case gave something like:

     6 May 20

     17 Apr 29

   2136 Jul 3

    84 Jul 4

   939 Jul 11

    533 Jul 14

Please remember to rate helpful responses and identify

8 REPLIES
New Member

Re: VCS-E: TCP: Possible SYN flooding on port 5061. Sending cook

Hi, Martin

I am seeing this on all our X7.1 Expressways as well.

Have not observed any loss of service though.

Anyone knows what this is?

Sent from Cisco Technical Support iPad App

New Member

VCS-E: TCP: Possible SYN flooding on port 5061. Sending cookies.

I hear of this ever so often. This error comes from Linux's standard SYN flood protection, when its TCP backlog gets full. This is hit before the VCS application itself. It is most likely caused by some denial-of-service attack (either deliberate or some misconfiguration). It should not affect normal VCS operation.

VCS-E: TCP: Possible SYN flooding on port 5061. Sending cookies.

Yea, it happens of business hours and Ola noticed it as well we are not alone.

So would be interesting if its just "missconfiguration" or if something else

(like the DOS can cause some other behavior which can be "missused"), ...

Please remember to rate helpful responses and identify

Cisco Employee

VCS-E: TCP: Possible SYN flooding on port 5061. Sending cookies.

Interesting to review where this SIPS (if use application correctly) negotiation came from.

Is this coming from single source IP address which possibility wrong configuration on far end (should notice far end IP address owner), but if source IP address are wide range then possibility DoS.

Not directly related to this original case but from X7.2 plan to support additional TLS security enhancement for avoiding unnecessary TLS negotiation.

- Checking of certificates for incoming TLS connection (control whether the certificate should be checked when TLS connection is made to the Default Zone of a VCS.)

- Define rules identifying what certificate hostnames should be allowed / denied (configure who is allowed to connect to the Default Zone via regex matching on certificates)

VCS-E: TCP: Possible SYN flooding on port 5061. Sending cookies.

Hi Tomonori!

Thank you for your Answer!

I tried briefly to grep on the logfiles in /mnt/harddisk/log to see entries with ip addresses

at the given times but I did not see anything relevant.

Any suggestions which strings I should search for or which log / debug levels I would need,

the other option would be to check with the firewall guys what capabilities we have there to

log/block.

Martin

Please remember to rate helpful responses and identify

Cisco Employee

VCS-E: TCP: Possible SYN flooding on port 5061. Sending cookies.

If VCS-E still receiving this SYN negotiation, please try with tcpdump on VCS just filter with port 5061.

You should write the log on /mnt/harddisk where has space for tcpdump but please make sure stop the dump after certain period (best to rotate the file size by using option command)

VCS-E: TCP: Possible SYN flooding on port 5061. Sending cookies.

yea, I am more interested in the capability in forensics afterwards, as I never noticed that kind of event "live", ...

guess when the only answer is a network dump I might do it with a mirror port.

Please remember to rate helpful responses and identify

New Member

VCS-E: TCP: Possible SYN flooding on port 5061. Sending cookies.

If you look in the network logs around that time, you may see a bunch of TLS Negotiation Failed errors from other hosts that got through before the Linux kernel did its SYN flood detection. That may give some indication of where the traffic is coming from.

We have once seen a case of this where we suspected some software (unknown) was falling back to a DNS SRV record that pointed to the VCSs, when its usual SIP server was unavailable.

1948
Views
8
Helpful
8
Replies
CreatePlease to create content