2 Replies Latest reply on Feb 11, 2015 6:00 PM by jayh

    SYN attact port 80

    tommyrogers New Member

      Lately I have been having to reboot Adtran 1224R's due to a SYN attack on port 80 and the switch stops passing traffic. I support several of these switches and it is pretty much across the board on all of them. I have even replaced a couple of them.

      Here are some actual examples

       

      id=firewall time=2014-12-10 08:12:27 fw=NOC pri=1 proto=1201/tcp src=50.58.243.161 dst=74.113.156.13 msg=Post Connection SYN attack detected Src 80 Dst 1201 from Public policy-class on interface vlan 200 agent=AdFirewall

      id=firewall time=2014-12-10 03:47:21 fw=NOC pri=1 proto=10370/tcp src=10.255.255.201 dst=70.193.67.250 msg=TCP connection request received is invalid (expected SYN, got ACK), dropping packet Src 143 Dst 10370 from Private policy-class on interface vlan 1 agent=AdFirewall

       

      Any suggestions would be appreciated.

       

      Tommy

        • Re: SYN attact port 80
          Employee

          Tommy,

           

          The firewall messages indicate that there is a violation of the TCP handshake occurring. As a result, the AOS firewall will drop the packet. From the firewall guide (Configuring the Firewall (IPv4) in AOS), here is a brief description of both firewall messages:

           

          Post Connection SYN attack - Indicates that a packet with the SYN flag set was received for an established TCP connection. The SYN flag should not be received for an established TCP connection, indicating a possible attack.


          TCP connection request received is invalid (expected SYN, got ACK) - Indicates that the first packet in a TCP flow had the ACK flag set in addition to the SYN flag. The first packet of a TCP flow should have the SYN flag (and no other flags) set to indicate the beginning of the three-way handshake to transition from the LISTEN state to the SYN RCVD and SYN SENT states.


          However, it should not have caused the 1224R to lockup. If it is still occurring, it would be good to see the following information:

          - show proc cpu

          - show proc queue

          - show ip policy-stat

          - show mem heap


          Also, you will want to make sure that the 1224Rs are on the latest code for that platform, which is AOS 13.15.


          Let us know if you have any questions.


          Thanks,

          Noor

          • Re: SYN attact port 80
            jayh Hall_of_Fame

            You probably don't want the switch management web server exposed to the Internet without an ACL. Consider building an acess-list limited to your own subnet and applying it to the HTTP, HTTPS processes as well as SSH and Telnet lines. For that matter, disabling Telnet entirely is probably a good idea.