Re: Getting logs for DOS Attack:Sync Attack on cisco CSS 11501 f

manish_3191 · ‎04-28-2011

Hi ,

Since couple of weeks , i am getting below DOS attack logs on cisco CSS.Can anyone help me out about how can we avoid this? and how to deal with it.

04/23/2011 17:27:28:Enterprise:DOS Attack:SYN Attack -> 10 times
04/23/2011 17:30:15:Enterprise:DOS Attack:SYN Attack -> 10 times
04/24/2011 11:20:32:Enterprise:DOS Attack:SYN Attack -> 11 times
04/24/2011 11:24:48:Enterprise:DOS Attack:SYN Attack -> 12 times
04/24/2011 15:30:42:Enterprise:DOS Attack:SYN Attack -> 10 times

Thanks

Manish

Nicolas Fournier · ‎04-29-2011

Hi Manish,

I believe we count one SYN attack when we don't get an ACK from the client 14 seconds after sending the SYN/ACK back from the server.

We also count one if we don't get a request after the 3WHS on a L5 policy.

If by default we get more then 10 of those events per second (which can be perfectly normal in a busy environment), we trigger the message you saw in your logs.

I believe you can increase this threshold by using the following command:

snmp trap-type enterprise dos-syn-attack trap-threshold

Looking at your logs, I believe you can set it to 20 and you shouldn't see the logs again during normal operation while it would still give you reports in case of a real attack.

Regards,

Nicolas

manish_3191 · ‎05-01-2011

Hi Nicolas,

Thanks for the imediate response.

Do you mean that these are not real attack? I did find the out he source and destination ips using " sh dos" from where i am getting this.

I am finding all the source ips are coming from our internal network.

By reducing the threshold value , i will be able to avoid these logs but want to know if these are real attack how can we resolve this?

Thanks

Manish

Nicolas Fournier · ‎05-02-2011

Hi Manish,

As I told you in my initial email, this means that you had 10 uncompleted 3WHS on a L4 policy or no request on a L5 one.

Those settings are a bit low by default so I don't believe you are under attack when you see this but if you want to really confirm it, you'll need to take captures of traffic going through your CSS and analyze them.

Regards,

Nicolas

manish_3191 · ‎05-03-2011

Hi Nicolas,

Why i am asking about DOS attack as i am facing some issues for the 2 VIPs configured in cisco CSS 11501.

Can you help me troubleshooting the issue?

I have coming across some Load Balancing issues for the 2 VIPS configured on Cisco CSS11501.

We have cisco CSS 11501. We have 2 VIPs configured on it for FE and BE servers.Now Client calls to FE VIP and LB forwarding it to server and then FE server calls the BE VIP which goes through the same LB and forward to BE server under the VIP.When we start load test, we have observed after 2 hour test, application team getting HTTP timeout.As this application is used by Call center so getting timeout is bad.
Need to troubleshoot this issue if there is any problem from LB End.

Please find the attached file for VIP configs.

Nicolas Fournier · ‎05-03-2011

Hi Manish,

This will be a bit too complex to troubleshoot on a forum so I would advise you to open a TAC case if you need this to be investigated in depth.

Regards,

Nicolas

Getting logs for DOS Attack:Sync Attack on cisco CSS 11501 frequently.