Forum Discussion
Amit585731
Nimbostratus
NimbostratusRegarding SYN flood attack
Hi ALL,
We are seeing SYN Cookie threshold exceeding on LTM while I think we are not seeing this huge connection from source so it can cross threshold limit of 16,384...
Internal warning tm...
Brad_Parker_139
Nacreous
NacreousI don't think there is a SOL for it in the wild, but you need to turn off hardware SYN cookie protection for network virtual servers. It doesn't behave properly when turned on for anything other than a /32 destination virtual server. We had many problems with this last year and our local FSE finally confirmed it and sent out a newsletter detailing that it should be turned off. Software SYN cookie protection should get you by for those network VIPs. If not, contact your local F5 team. As soon as you disable hadrware SYN cookie in the TCP/FastL4 profile attached to the VS you should see things get better.
- Brad_Parker_139PS this is only an issue on platforms that can do hardware SYN cookie in their PVA cards. 5000s+ and Viprion.
- Brad_Parker_139What usually triggers this erroneous behavior are packet drops up stream.
Amit585731Thanks Brad. Yes becoz we continued to see issue continually we have already disabled SYN Cookie and enabled Software Cookie globally.- Amit585731Also by any chance you know what that value 186 is in 'show sys connection' output I mentioned? is the number of connection from source to VS?
- Brad_Parker_139show sys connection shows all the connections to the LTM. The TCP 186 you see I believe is the age of that connection in seconds.
- Amit585731thanks Brad for all your help.
