11-02-2020 09:22 PM
I found log from below.
19-Jun-2018 03:07:40 :%SECURITYSUITE-I-SECSYNBLOCKED: 03:07:40 19-Jun-2018:
A TCP SYN Attack was identified on port Po2.
TCP SYN traffic destined to the local system is automatica[0mMore: <space>, Quit: q or CTRL+Z, One line: <return> lly blocked for 60 seconds.
11-02-2020 09:31 PM
Please help to solve this issue.
11-03-2020 01:37 AM
Hi there,
That basically means you've been exposed to SYN flood attack coming on port 2 on your SG350 switch on June 19, 2018, so the switch had detected the attack and reacted by denying the traffic destined to your local system for 60 seconds. That might be a malicious client or malware running inside of your network. It is a good approach to have antivirus/anti-malware software on your end client machines so that you can be fully protected.
More information about the TCP SYN Flood attack can be found at:
https://www.cisco.com/c/en/us/support/docs/ip/ip-multicast/14760-4.html#tcpsyn
https://www.imperva.com/learn/ddos/syn-flood/
Regards,
Martin
11-03-2020 07:52 AM
Hi Martin,
The Po2 is uplink port connected to another switch(catalyst 2960).How can I know which switch that have malicious client connect?
Pornphoj.K
11-06-2020 02:53 AM
Hello,
You can use port mirroring (SPAN/RSPAN) to monitor the traffic on the port and then analyze with Wireshark (for example):
Take a look at:
https://tools.cisco.com/security/center/resources/guide_ddos_defense#29
This way you can look into and match specific fields in the packet (for example, source and destination IP, protocol, and length.) You can also display the top ports or protocols used in the captures, which could help identify potential DoS activity.
and
https://www.cisco.com/c/dam/en/us/td/docs/switches/lan/csbms/350xg/admin_guide/AG_Tesla_350_550.pdf (Switched Port Analyzer (SPAN and RSPAN) section.)
Regards,
Martin
07-14-2022 08:17 AM
Hi, can we disable this security feature ?
There seems to be no counters for this issue on the switch
If TCP is blocked i cannot connect to the host to troubleshoot. In my case it seems some TCP SYN to port 53 from a microk8s Raspberry PI
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide