Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

What are non-DOS/DDOS causes of excessive tcp half-opens?

I have an 1841-AdvSec IOS with F/W feature set using an Internet T1 to communicate with an Internet based host application. We have determined that client communications with this website is causing numerous simultaneous tcp half-open connections (>50), which the F/W config is interpreting as a DOS attack due to exceeding the default F/W DOS settings of a max of 50 half-open connections to a single remote IP. As a result we have adjusted these settings to effectively disable DOS protection (allow 1000000), but are trying to determine what is causing this. What are other possible causes of excessive tcp half-opens? We have hard coded the inside ethernet of the 1841 to full duplex 100BT to r/o switch negotiation. Anything else to do to troubleshoot this issue? I'd prefer to adjust the half-open settings back down to a smaller # to reenable DOS protection, but can't until this is resolved. Thanks!


Re: What are non-DOS/DDOS causes of excessive tcp half-opens?

Use a packet sniffer to find out the actual reason why there are numerous simultaneous half open connections from the client communications.

Re: What are non-DOS/DDOS causes of excessive tcp half-opens?


besides the sniffer approach you could also try to spot the originating IPs in the NAT table. Once you identified the originating IP(s) it will be much easier to sniffer and locate the underlying reason/application.

One other reason might be that return packets are dropped because of NAT timeouts or firewall rules.

You also might have some TCP syn to unreachable ports on that host and the ICMP unreachable is blocked somewhere. Mainly I would suspect misconfigured applications in such a case.

Or it might be a curious user with port scanner ... or ...

Regards, Martin