Hi there,

That basically means you've been exposed to SYN flood attack coming on port 2 on your SG350 switch on June 19, 2018, so the switch had detected the attack and reacted by denying the traffic destined to your local system for 60 seconds. That might be a malicious client or malware running inside of your network. It is a good approach to have antivirus/anti-malware software on your end client machines so that you can be fully protected.

More information about the TCP SYN Flood attack can be found at:

https://www.cisco.com/c/en/us/support/docs/ip/ip-multicast/14760-4.html#tcpsyn

https://www.imperva.com/learn/ddos/syn-flood/

Regards,

Martin

Hi Martin, 

The Po2 is uplink port connected to another switch(catalyst 2960).How can I know which switch that have malicious client connect?

Pornphoj.K

Hello,

You can use port mirroring (SPAN/RSPAN) to monitor the traffic on the port and then analyze with Wireshark (for example):

Take a look at:

https://tools.cisco.com/security/center/resources/guide_ddos_defense#29

This way you can look into and match specific fields in the packet (for example, source and destination IP, protocol, and length.) You can also display the top ports or protocols used in the captures, which could help identify potential DoS activity.

and 

https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/350xg/admin_guide/AG_Tesla_350_550.pdf  (Switched Port Analyzer (SPAN and RSPAN) section.)

Regards,

Martin

Hi, can we disable this security feature ?

There seems to be no counters for this issue on the switch 

If TCP is blocked i cannot connect to the host to troubleshoot. In my case it seems some TCP SYN to port 53 from a microk8s Raspberry PI