Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
0
Helpful
2
Replies

What are non-DOS/DDOS causes of excessive tcp half-opens?

mreusch-uic
Level 1
Level 1

‎01-18-2007 08:36 AM - edited ‎03-03-2019 03:24 PM

I have an 1841-AdvSec IOS with F/W feature set using an Internet T1 to communicate with an Internet based host application. We have determined that client communications with this website is causing numerous simultaneous tcp half-open connections (>50), which the F/W config is interpreting as a DOS attack due to exceeding the default F/W DOS settings of a max of 50 half-open connections to a single remote IP. As a result we have adjusted these settings to effectively disable DOS protection (allow 1000000), but are trying to determine what is causing this. What are other possible causes of excessive tcp half-opens? We have hard coded the inside ethernet of the 1841 to full duplex 100BT to r/o switch negotiation. Anything else to do to troubleshoot this issue? I'd prefer to adjust the half-open settings back down to a smaller # to reenable DOS protection, but can't until this is resolved. Thanks!

Labels:
0 Helpful
2 Replies 2

b.hsu
Level 5
Level 5

‎01-24-2007 07:18 AM

Use a packet sniffer to find out the actual reason why there are numerous simultaneous half open connections from the client communications.

0 Helpful

mheusinger
Level 10
Level 10

‎01-24-2007 07:28 AM

Hi,

besides the sniffer approach you could also try to spot the originating IPs in the NAT table. Once you identified the originating IP(s) it will be much easier to sniffer and locate the underlying reason/application.

One other reason might be that return packets are dropped because of NAT timeouts or firewall rules.

You also might have some TCP syn to unreachable ports on that host and the ICMP unreachable is blocked somewhere. Mainly I would suspect misconfigured applications in such a case.

Or it might be a curious user with port scanner ... or ...

Regards, Martin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card