https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943731#M84422 <HTML><HEAD></HEAD><BODY><P>If you are not getting any such attack logs again this means that this was a false alarm caused because of some genuine application. Although it is better to have protection against such attacks. Following link may help you</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/csa/csa45/user_guide/AppexB.html" target="_blank">http://www.cisco.com/en/US/docs/security/csa/csa45/user_guide/AppexB.html</A></P></BODY></HTML> Wed, 19 Mar 2008 14:09:30 GMT didyap 2008-03-19T14:09:30Z https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943730#M84420 <P>I got an SYN flood attack log in CSA MC</P><P></P><P>CSA log: TESTMODE: A potential SYN Flood attack has been detected. This may also indicate a possible routing problem. Reason: The TCP Listen Queue is full using interface Wired\HP NC7781 Gigabit Server Adapter #2. TCP: CSA MC IP/5401-&gt;local Instance IP/4418, flags 0x12. The operation would have been denied.</P><P></P><P>(Note: In log I have specified CSA MC IP and local Instance IP instead of its IP address)</P><P></P><P>I understood that SYN flooding is a type of denial of service attack and this alert has occured when a TCP/IP connection was requested by MC to the Instance. It has resulted in a half open connection, as the return address that is not in use. MC has detected it and it got denied. </P><P></P><P>Please let me know what action I have to take at tins point?</P><P></P><P>Thanks</P><P>Arumugam.K</P><P></P><P></P> Sun, 10 Mar 2019 11:02:04 GMT https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943730#M84420 akumaresan 2019-03-10T11:02:04Z https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943731#M84422 <HTML><HEAD></HEAD><BODY><P>If you are not getting any such attack logs again this means that this was a false alarm caused because of some genuine application. Although it is better to have protection against such attacks. Following link may help you</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/csa/csa45/user_guide/AppexB.html" target="_blank">http://www.cisco.com/en/US/docs/security/csa/csa45/user_guide/AppexB.html</A></P></BODY></HTML> Wed, 19 Mar 2008 14:09:30 GMT https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943731#M84422 didyap 2008-03-19T14:09:30Z https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943732#M84424 <HTML><HEAD></HEAD><BODY><P>Arumugam,</P><P></P><P>We've been having similar issue regarding SYN flood alerts. The affected system in turn starts to send additional ACK requests. This results in issues with the IIS functionality on that server. Clients begin to no longer have the ability to access the site hosted on the server. We've been battling between Cisco and Microsoft on this one. The issue appears to have started around Patch Tuesday in February.</P><P></P><P>My question to you is this: Have you noticed any latency with the system that is reporting the SYN flood? I'm curious if the problem is local to us, or possibly wide spread.</P></BODY></HTML> Sat, 22 Mar 2008 17:42:03 GMT https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943732#M84424 chickman 2008-03-22T17:42:03Z https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943733#M84426 <HTML><HEAD></HEAD><BODY><P>Has anyone else noted the following alert?</P><P></P><P>"A potential SYN Flood attack is currently in progress. 1 unresponsive connection attempts have been detected since the last notification. Source addresses included X.X.X.X. Ports included TCP/XXX.</P><P></P><P>I've not been able to associate this issue with anything on the system. It appears to be a CSA bug, but unsure if we're the only ones seeing it. Please advise!</P><P></P><P>Thank you,</P><P></P><P>Christopher</P></BODY></HTML> Thu, 03 Apr 2008 23:23:34 GMT https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943733#M84426 chickman 2008-04-03T23:23:34Z https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943734#M84428 <HTML><HEAD></HEAD><BODY><P>Just to put this out there, but it turns out that CSA 5.2 has a low threshold for syn floods. We got a bug ID of CSCsq07997. This WILL cause service interruptions if your end clients/connections are behind a low end pix.</P></BODY></HTML> Sat, 03 May 2008 14:12:00 GMT https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943734#M84428 chickman 2008-05-03T14:12:00Z https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943735#M84429 <HTML><HEAD></HEAD><BODY><P>Yes, I got this event fron an internal IP. So I dont feel its malicious alert.</P><P></P><P>Great and thanks a lot to everyone for giving a good solution.</P><P></P><P>Regards</P><P>Arumugam.K</P></BODY></HTML> Tue, 27 May 2008 10:18:59 GMT https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943735#M84429 akumaresan 2008-05-27T10:18:59Z https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943736#M84430 <HTML><HEAD></HEAD><BODY><P>I experienced the exact situation. My only choice at the time was to disable the netshim for that host in the registry.</P><P></P><P></P></BODY></HTML> Thu, 29 May 2008 15:11:08 GMT https://community.cisco.com/t5/network-security/syn-flood-attack-log-in-csa-mc/m-p/943736#M84430 mcvosi 2008-05-29T15:11:08Z