Greetings...
I'm using PacketWise 8.5.1
I'm configuring PacketShaper to detect SYN Attack by following the guide in this link https://bto.bluecoat.com/packetguide/8.5/nav/tasks/adaptiveresponse/example-syn-attack-agent.htm
I see hosts in the violatingHosts lists by executing "hl show"
-----------------------
PacketShaper# hl show
Sharable host lists:
exceptionHosts w.x.y.z/16 << Internal Network
violatingHosts a.b.c.d << host/s exceed the threshold
PacketShaper#
------------------------
Since those hosts that exceed the threshold has been added in the violatingHosts list and remains for a longer period of time - more than 30 minutes (means they continue sending packet as I can see in the firewall) I assume that I should see utilization in the configured class. But it remains zero.
Since I have the violating host/s in the list, I can be sure that my configuration in that part is correct. However, since there is no utilization in the class, I assume that there might a problem with the class configuration and/or my understanding of the last part of the guide in the link above.
Has anyone tried configuring PacketShaper to detect SYN attack and have utilization in the class?
TIA
- Dandy
Packeteer's Technical Exchange
A forum for sharing ideas.
detect syn attack
Moderator: Moderators
6 posts • Page 1 of 1
detect syn attack
by danilody on Tue Mar 30, 2010 10:45 pm
- danilody
- Posts: 9
- Joined: Mon Aug 23, 2004 9:49 pm
Re: detect syn attack
by StuartM on Tue Apr 06, 2010 11:12 am
SYN packets contain no real payload so I'm guessing they won't generate a lot of bandwidth, if any. Try the command:
host info <ip address>
You can see the rate of new connections in the "client", "server", and "failed" columns. "failed" would be the count of SYNs.
host info <ip address>
You can see the rate of new connections in the "client", "server", and "failed" columns. "failed" would be the count of SYNs.
- StuartM
- Posts: 505
- Joined: Wed Jul 16, 2003 9:07 am
Re: detect syn attack
by danilody on Tue Apr 06, 2010 6:58 pm
Hi Stuart,
Thank you for your reply.
After configuring and see a lot of hosts exceed the threshold for a long period of time (more than 5 minutes - some has been there for hour) and seeing them in my firewall, I expect some bandwidth utilization in the class that I created from the "Monitor" tab (specially incoming), however its zero.
---------------
PacketShaper# hl show
Sharable host lists:
exceptionHosts a.b.c.0/20 << Internal network
violatingHosts x.y.z.184 q.r.s.88 << Outside/Internet
---------------
In the configuration hierarchy
- Monitor < OK
- Capture Violating Hosts < OK
- Alert < OK
- Control < There is no util at all for the class in the "Monitor" tab (zero).
Best wishes,
Dandy
Thank you for your reply.
After configuring and see a lot of hosts exceed the threshold for a long period of time (more than 5 minutes - some has been there for hour) and seeing them in my firewall, I expect some bandwidth utilization in the class that I created from the "Monitor" tab (specially incoming), however its zero.
---------------
PacketShaper# hl show
Sharable host lists:
exceptionHosts a.b.c.0/20 << Internal network
violatingHosts x.y.z.184 q.r.s.88 << Outside/Internet
---------------
In the configuration hierarchy
- Monitor < OK
- Capture Violating Hosts < OK
- Alert < OK
- Control < There is no util at all for the class in the "Monitor" tab (zero).
Best wishes,
Dandy
Last edited by danilody on Tue Apr 06, 2010 7:07 pm, edited 1 time in total.
- danilody
- Posts: 9
- Joined: Mon Aug 23, 2004 9:49 pm
Re: detect syn attack
by danilody on Tue Apr 06, 2010 7:03 pm
Hi Stuart,
Here is the output of the command you suggested.
----------------
PacketShaper# host info x.y.z.184
IP Address Conn RTT Cur 1 Min Peak --- New Flows Per Minute ---
to PS rate avg rate Client Server Failed
--------------------------------------------------------------------------------
x.y.z.184 O 183 70ms 1475 1411 8.4M 105 0 83
1 entries matching x.y.z.184 255.255.255.255
PacketShaper#
------------------
From the "Monitor" tab, there is no util.
Best wishes,
Dandy
Here is the output of the command you suggested.
----------------
PacketShaper# host info x.y.z.184
IP Address Conn RTT Cur 1 Min Peak --- New Flows Per Minute ---
to PS rate avg rate Client Server Failed
--------------------------------------------------------------------------------
x.y.z.184 O 183 70ms 1475 1411 8.4M 105 0 83
1 entries matching x.y.z.184 255.255.255.255
PacketShaper#
------------------
From the "Monitor" tab, there is no util.
Best wishes,
Dandy
- danilody
- Posts: 9
- Joined: Mon Aug 23, 2004 9:49 pm
Re: detect syn attack
by danilody on Thu Jun 24, 2010 9:07 pm
To update this post.
I have been told by support that there will be no utilization from the monitoring. Didn't explain why even if I press for explanation, sigh
I have been told by support that there will be no utilization from the monitoring. Didn't explain why even if I press for explanation, sigh
- danilody
- Posts: 9
- Joined: Mon Aug 23, 2004 9:49 pm
Re: detect syn attack
by paul.blitz on Wed Jul 07, 2010 5:35 am
The syn/syn-ack/ack sequence is not only small, but until it has happened, the unit doesn't know how to categorise the traffic, as it uses data in the syn etc to do this, so maybe that's why it isn't categorised.
Also, the method used to restrict bandwidth relies on controlling the window size and acknowledgement timings, and that bit hasn't started yet!
So I'm guessing they are all pert of the reason there's no data to be had.
Paul
Also, the method used to restrict bandwidth relies on controlling the window size and acknowledgement timings, and that bit hasn't started yet!
So I'm guessing they are all pert of the reason there's no data to be had.
Paul
Paul Blitz,
England.
(ex- PCI & PCE)
England.
(ex- PCI & PCE)
- paul.blitz
- Posts: 639
- Joined: Fri Jul 25, 2003 4:15 am
- Location: Reading, England
6 posts • Page 1 of 1
Who is online
Users browsing this forum: MSN [Bot] and 1 guest