For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

smp_86112's avatar
smp_86112
Icon for Cirrostratus rankCirrostratus
Jan 22, 2009

Methodolgy to ID source of DOS attack

Recently, I started receiving SNMP traps from an LTM pair indicating it was the target of a possible DOS attack.     Limiting open port RST response from 16170 to 250 packets/sec   ...
management
monitoring
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Apr 30, 2010
Mmm..... What the BigIP is doing is sending a RST packet because it's recieved a tcp packet for a connection that doesn't exist, and the recieved packet DOES NOT have the SYN flag set... In this respect the F5 is behaving exactly like any other IP host... If an IP stack recieves a packet without the SYN flag set for a connection that doesn't eist in the connection table, the host sends back a RST to tell the sending host that the connection doesn't exist and they need to reset their state.

 

 

The best way to diagnose this would IMO be a two parter... First perform a tcpdump looking for RST packets... Sonce the F5 is rate limiting to 250/sec, there should be plenty to see... Have a look at the destination IP... Then perform a tcpdump filtering just on that IP address... You'll then have all the info on what the host is sending (Valid and invalid packets) and what's being sent back.

 

 

It's always possible that this is simply due to a genuine fault... One reason I can think of is possibly you just had a failover, and these packets are destined for a VS that doesn't have mirroring enabled.

 

 

H