2 Replies Latest reply on Apr 25, 2013 9:19 AM by jcreedle

    AdtranEventMgr notifications suddenly occurring

    jcreedle New Member

      Two days ago I began receiving AdtranEventMgr notifications regarind SYN and ACK from my Netvanta 1224R. I did not make any changes on the router prior to this. I typically am receiving two types.

       

      1) Src is Internal, Destination is External. Occurs about every 10 minutes.

      "TCP connection request received is invalid
      (expected SYN, got ACK), dropping packet Src 49278 Dst 443 from Private
      policy-class on interface vlan 1" agent=AdFirewall "

       

      2) Src is External, Destination is our domain IP address and is less frequent than the others.

      "Post Connection SYN attack detected Src 80 Dst
      10532 from Public policy-class on interface vlan 2"

       

      The second sounds like we are under a DOS attack. If so, I don't know if there's anything I can do about it other than wait it out knowing the Adtran is doing its job.  But I'm wondering if these are just common events that I have not seen previously because, for some reason, the notifications were not being sent, or sent properly.

       

      Any comments would be appreciated. I am an IT Professional but not great with routers.

        • Re: AdtranEventMgr notifications suddenly occurring
          levi Employee

          jcreedle:

           

          Thank you for posting this question to the support community.  Firewall threat messages could possibly be attacks, but not necessarily as they could also be caused by misconfigurations or peculiarities in the network. In AOS, threats have been categorized and been assigned a weight based on their possible severity. Threats with a higher severity have the potential to be more compromising to hosts behind the firewall than threats with a lower severity.

           

          The threat you have displayed above is a minor threat, and virtually can be ignored.  You can disable this message from appearing on the CLI, per session, by issuing the no events command.  For reference, the Configuring the Firewall (IPv4) in AOS guide explains these attack messages:

           

          1.  TCP connection request received is invalid (expected SYN, got ACK), dropping packet; flags=<flags>

          Short Definition: TCP: expected SYN, got ACK

           

          Description: Indicates that the first packet in a TCP flow had the ACK flag set in addition to the SYN flag. The firewall maintains a state for each TCP flow and inspects the TCP flags to ensure that they are valid for the current state of the flow. The first packet of a TCP flow should have the SYN flag (and no other flags) set to indicate the beginning of the three-way handshake to transition from the LISTEN state to the SYN RCVD and SYN SENT states. This threat can be observed for valid traffic when the firewall association is deleted or times out, but the TCP session is still established. Check your TCP policy-timeout settings and verify that the timeout accounts for the longest interval between observing packets.

           

          Action: The firewall drops the offending packet.

           

          2.  Post connection SYN attack detected

          Short Definition: Post connection SYN attack

           

          Description: Indicates that a packet with the SYN flag set was received for an established TCP connection. The firewall maintains a state for each TCP flow and inspects the TCP flags to ensure that they are valid for the current state of the flow. The SYN flag should not be received for an established TCP connection, indicating a possible attack. For example, an attacker could send a spoofed packet with the SYN flag set in order to have the legitimate client receive an RST packet, thus disrupting the connection. This threat can also be caused by an incorrect implementation of TCP in a client. For example, if a client does not change source ports between sessions and attempts to initiate a new session within the TIME WAIT timeout, this threat will be observed.

           

          Action: The firewall drops the offending packet.

           

          I hope that makes sense, but please do not hesitate to reply with any additional questions or information.  I will be happy to help in any way I can.

           

          Levi