For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
Jan 22, 2009

Methodolgy to ID source of DOS attack

Recently, I started receiving SNMP traps from an LTM pair indicating it was the target of a possible DOS attack.     Limiting open port RST response from 16170 to 250 packets/sec   ...
management
monitoring
dennypayne's avatar
dennypayne
Icon for Employee rankEmployee
Jan 28, 2009

Posted By smp on 01/28/2009 7:19 AM

 

 

At the time I was doing a tcpdump looking for RST packets, but upon reflection that was a stupid idea since the LTM is dropping the SYN packets instead of sending RSTs, so I wouldn't have captured the RSTs.

 

 

 

Also don't forget the syncookie mechanism...if you reach a certain threshold of SYN's coming in, LTM will respond with a syncookie to the client and immediately close the connection. If it's a legitimate client, it will respond back and LTM is smart enough to reopen the connection based on the syncookie. But SYN floods are avoided because the LTM has already closed the connection and moved on. So you may see "dropped" SYN's without seeing the "Limiting open port RST response" message as well.

 

 

Denny