For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Amit585731's avatar
Amit585731
Icon for Nimbostratus rankNimbostratus
Oct 29, 2015

Regarding SYN flood attack

Hi ALL,

 

We are seeing SYN Cookie threshold exceeding on LTM while I think we are not seeing this huge connection from source so it can cross threshold limit of 16,384...

 

Internal warning tmm[13131]: 01010038:4: Syncookie threshold 2607 exceeded, virtual = :80 Internal notice tmm[13131]: 01010240:5: Syncookie HW mode activated, server = :80, HSB modId = 1 Internal notice tmm[13131]: 01010241:5: Syncookie HW mode exited, server = :80, HSB modId = 1 from HSB

 

Also while I am trying command 'show sys connection' on LTM I am not seeing that huge connection.

 

Also just wanted to confirm one information regarding 'show sys connection' that what is 186 value? Is this the number of connection generated by client? Can one client send 186 tcp connection?

 

:54838 :80 :54838 :39081 tcp 186

 

Thanks

 

application delivery
deployment
LTM

14 Replies

  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Oct 29, 2015

    I don't think there is a SOL for it in the wild, but you need to turn off hardware SYN cookie protection for network virtual servers. It doesn't behave properly when turned on for anything other than a /32 destination virtual server. We had many problems with this last year and our local FSE finally confirmed it and sent out a newsletter detailing that it should be turned off. Software SYN cookie protection should get you by for those network VIPs. If not, contact your local F5 team. As soon as you disable hadrware SYN cookie in the TCP/FastL4 profile attached to the VS you should see things get better.

     

    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      Oct 29, 2015
      PS this is only an issue on platforms that can do hardware SYN cookie in their PVA cards. 5000s+ and Viprion.
    • Brad_Parker_139's avatar
      Brad_Parker_139
      Icon for Nacreous rankNacreous
      Oct 29, 2015
      What usually triggers this erroneous behavior are packet drops up stream.
    • Amit585731's avatar
      Amit585731
      Icon for Nimbostratus rankNimbostratus
      Oct 30, 2015
      Thanks Brad. Yes becoz we continued to see issue continually we have already disabled SYN Cookie and enabled Software Cookie globally.
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Oct 29, 2015

    I don't think there is a SOL for it in the wild, but you need to turn off hardware SYN cookie protection for network virtual servers. It doesn't behave properly when turned on for anything other than a /32 destination virtual server. We had many problems with this last year and our local FSE finally confirmed it and sent out a newsletter detailing that it should be turned off. Software SYN cookie protection should get you by for those network VIPs. If not, contact your local F5 team. As soon as you disable hadrware SYN cookie in the TCP/FastL4 profile attached to the VS you should see things get better.

     

    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Oct 29, 2015
      PS this is only an issue on platforms that can do hardware SYN cookie in their PVA cards. 5000s+ and Viprion.
    • Brad_Parker's avatar
      Brad_Parker
      Icon for Cirrus rankCirrus
      Oct 29, 2015
      What usually triggers this erroneous behavior are packet drops up stream.
    • Amit585731's avatar
      Amit585731
      Icon for Nimbostratus rankNimbostratus
      Oct 30, 2015
      Thanks Brad. Yes becoz we continued to see issue continually we have already disabled SYN Cookie and enabled Software Cookie globally.