cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

SYN attact port 80

Lately I have been having to reboot Adtran 1224R's due to a SYN attack on port 80 and the switch stops passing traffic. I support several of these switches and it is pretty much across the board on all of them. I have even replaced a couple of them.

Here are some actual examples

id=firewall time=2014-12-10 08:12:27 fw=NOC pri=1 proto=1201/tcp src=50.58.243.161 dst=74.113.156.13 msg=Post Connection SYN attack detected Src 80 Dst 1201 from Public policy-class on interface vlan 200 agent=AdFirewall

id=firewall time=2014-12-10 03:47:21 fw=NOC pri=1 proto=10370/tcp src=10.255.255.201 dst=70.193.67.250 msg=TCP connection request received is invalid (expected SYN, got ACK), dropping packet Src 143 Dst 10370 from Private policy-class on interface vlan 1 agent=AdFirewall

Any suggestions would be appreciated.

Tommy

Labels (1)
0 Kudos
2 Replies
Anonymous
Not applicable

Re: SYN attact port 80

Tommy,

The firewall messages indicate that there is a violation of the TCP handshake occurring. As a result, the AOS firewall will drop the packet. From the firewall guide (Configuring the Firewall (IPv4) in AOS), here is a brief description of both firewall messages:

Post Connection SYN attack - Indicates that a packet with the SYN flag set was received for an established TCP connection. The SYN flag should not be received for an established TCP connection, indicating a possible attack.


TCP connection request received is invalid (expected SYN, got ACK) - Indicates that the first packet in a TCP flow had the ACK flag set in addition to the SYN flag. The first packet of a TCP flow should have the SYN flag (and no other flags) set to indicate the beginning of the three-way handshake to transition from the LISTEN state to the SYN RCVD and SYN SENT states.


However, it should not have caused the 1224R to lockup. If it is still occurring, it would be good to see the following information:

- show proc cpu

- show proc queue

- show ip policy-stat

- show mem heap


Also, you will want to make sure that the 1224Rs are on the latest code for that platform, which is AOS 13.15.


Let us know if you have any questions.


Thanks,

Noor

jayh
Honored Contributor
Honored Contributor

Re: SYN attact port 80

You probably don't want the switch management web server exposed to the Internet without an ACL. Consider building an acess-list limited to your own subnet and applying it to the HTTP, HTTPS processes as well as SSH and Telnet lines. For that matter, disabling Telnet entirely is probably a good idea.