SYN attacks from nagios
rob.moss at uk.bnpparibas.com
rob.moss at uk.bnpparibas.com
Fri Sep 15 11:59:56 CEST 2006
nagios-users-bounces at lists.sourceforge.net wrote on 14/09/2006 19:30:29:
> The device that is detecting the "attack" is a content switch, which
> sits in front of all the hosts. There isn't a particular command that
> is triggering the alert.
>
> Here are two that I have seen for sure:
>
> define service {
> name check_nt_cpu
> check_command check_nt_cpu!1111!foo!10,90,95,60,80,95,1440,80,95
> max_check_attempts 3
> normal_check_interval 3
> retry_check_interval 3
> active_checks_enabled 1
> passive_checks_enabled 1
> check_period 24x7
> parallelize_check 1
> obsess_over_service 0
> check_freshness 0
> event_handler_enabled 1
> flap_detection_enabled 1
> process_perf_data 1
> retain_status_information 1
> retain_nonstatus_information 1
> notification_interval 5
> notification_period 24x7
> notifications_enabled 1
> register 0
> notification_options w,u,c,r
> }
>
> define service {
> name pmo-service-24x7
> max_check_attempts 3
> normal_check_interval 3
> retry_check_interval 3
> active_checks_enabled 1
> passive_checks_enabled 1
> check_period 24x7
> parallelize_check 1
> obsess_over_service 0
> check_freshness 0
> event_handler_enabled 1
> flap_detection_enabled 1
> process_perf_data 1
> retain_status_information 1
> retain_nonstatus_information 1
> notification_interval 5
> notification_period 24x7
> notifications_enabled 1
> register 0
> notification_options w,u,c,r
> }
>
>
> These are just templates but contain all the info that is important to
> this discussion. These are the same as the 1.2 host as well.
Morning..
Okay.. so the content switch is detecting the SYN attacks on multiple
hosts..
Is the check check_nt_cpu running an NRPE_nt / NSClient++ check? These do
use TCP.. Not sure what the check_nt_cpu check actually does because you
haven't provided it here. it comes from the commands.cfg file..
I would say (without further investigation and no knoweledge of your
network archetecture) that the content switch is probably just doing it's
job, and is configured with some very low thresholds for SYN Flood
protection.. Check out the thresholds, see if they are lower than the
amount of checks the Nagios server is running through the server. Here's
an equation for you so you can work out the servers polling frequency to
match it up to the network switch thresholds
Number of Hosts * ( Number of Services per host ( 60 Mins / Check interval
for services ) ) = Num of checks per hour
I would say these are probably a false alarm and adjust the parameters up a
little higher.
If you are really concerned, you might want to do some more digging and
find exactly which hosts are being SYN Flooded, the amount of packets per
second, the TCP ports being opened and the source port(s) of the attack.
Two programs which will assist you in this are: tcpdump (cmdline) or
ethereal (cmdline and X)
Good luck
> On 9/14/06, Donnell Lewis <donnell.lewis at icoretechnology.com> wrote:
> > Did the 'ping' command check itself change from the 2 different
> > versions ? Check in checkcommands.cfg, see if the command definition
is
> > the same between the two.
> >
> > -DL
> >
> > On Thu, 2006-09-14 at 17:07 +0100, rob.moss at uk.bnpparibas.com wrote:
> > > nagios-users-bounces at lists.sourceforge.net wrote on 14/09/2006
17:00:29:
> > >
> > > > Good morning,
> > > >
> > > > I have 2 nagios servers. One is running 1.2 and the other is
running
> > > > 2.5. Both are running in parallel while I migrate to the 2.5
machine.
> > > > Our content switch is detecting that the 2.5 machine is SYN
attacking
> > > > hosts. Both servers have very similar monitoring sets and similar
> > > > configurations. I have gone through the config and nothing stands
> > > > out. Obviously, the 2.5 machine is pounding the servers more
heavily
> > > > but I can't figure out why. Below is my config.
> > > >
> > >
> > > Good evening!
> > >
> > > <config snipped>
> > >
> > > What checks are you running against the server that is detecting the
SYN
> > > attacks?
> > >
> > > The config you posted is the general nagios config, we would need to
see
> > > the services.cfg portions for the affected host(s)
> > >
> > > Cheers
This message and any attachments (the "message") is
intended solely for the addressees and is confidential.
If you receive this message in error, please delete it and
immediately notify the sender. Any use not in accord with
its purpose, any dissemination or disclosure, either whole
or partial, is prohibited except formal approval. The internet
can not guarantee the integrity of this message.
BNP PARIBAS (and its subsidiaries) shall (will) not
therefore be liable for the message if modified.
**********************************************************************************************
BNP Paribas Private Bank London Branch is authorised
by CECEI & AMF and is regulated by the Financial Services
Authority for the conduct of its investment business in
the United Kingdom.
BNP Paribas Securities Services London Branch is authorised
by CECEI & AMF and is regulated by the Financial Services
Authority for the conduct of its investment business in
the United Kingdom.
BNP Paribas Fund Services UK Limited is authorised and
regulated by the Financial Services Authority
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list