SYN attacks from nagios

Terry td3201 at gmail.com
Fri Sep 15 20:56:21 CEST 2006


They are using nrpe_nt.  We never had a problem with the 1.2 machine.
It is only the 2.5 machine and they are configured the same as far as
check intervals are concerned.


On 9/15/06, rob.moss at uk.bnpparibas.com <rob.moss at uk.bnpparibas.com> wrote:
> nagios-users-bounces at lists.sourceforge.net wrote on 14/09/2006 19:30:29:
>
> > The device that is detecting the "attack" is a content switch, which
> > sits in front of all the hosts.  There isn't a particular command that
> > is triggering the alert.
> >
> > Here are two that I have seen for sure:
> >
> > define service {
> >         name check_nt_cpu
> >         check_command check_nt_cpu!1111!foo!10,90,95,60,80,95,1440,80,95
> >         max_check_attempts 3
> >         normal_check_interval 3
> >         retry_check_interval 3
> >         active_checks_enabled 1
> >         passive_checks_enabled 1
> >         check_period 24x7
> >         parallelize_check 1
> >         obsess_over_service 0
> >         check_freshness 0
> >         event_handler_enabled 1
> >         flap_detection_enabled 1
> >         process_perf_data 1
> >         retain_status_information 1
> >         retain_nonstatus_information 1
> >         notification_interval 5
> >         notification_period 24x7
> >         notifications_enabled 1
> >         register 0
> >         notification_options w,u,c,r
> > }
> >
> > define service {
> >         name pmo-service-24x7
> >         max_check_attempts 3
> >         normal_check_interval 3
> >         retry_check_interval 3
> >         active_checks_enabled 1
> >         passive_checks_enabled 1
> >         check_period 24x7
> >         parallelize_check 1
> >         obsess_over_service 0
> >         check_freshness 0
> >         event_handler_enabled 1
> >         flap_detection_enabled 1
> >         process_perf_data 1
> >         retain_status_information 1
> >         retain_nonstatus_information 1
> >         notification_interval 5
> >         notification_period 24x7
> >         notifications_enabled 1
> >         register 0
> >         notification_options w,u,c,r
> > }
> >
> >
> > These are just templates but contain all the info that is important to
> > this discussion.  These are the same as the 1.2 host as well.
>
> Morning..
>
> Okay.. so the content switch is detecting the SYN attacks on multiple
> hosts..
>
> Is the check check_nt_cpu running an NRPE_nt / NSClient++ check? These do
> use TCP.. Not sure what the check_nt_cpu check actually does because you
> haven't provided it here. it comes from the commands.cfg file..
>
> I would say (without further investigation and no knoweledge of your
> network archetecture) that the content switch is probably just doing it's
> job, and is configured with some very low thresholds for SYN Flood
> protection..  Check out the thresholds, see if they are lower than the
> amount of checks the Nagios server is running through the server.  Here's
> an equation for you so you can work out the servers polling frequency to
> match it up to the network switch thresholds
>
> Number of Hosts * ( Number of Services per host ( 60 Mins / Check interval
> for services ) ) = Num of checks per hour
>
> I would say these are probably a false alarm and adjust the parameters up a
> little higher.
>
> If you are really concerned, you might want to do some more digging and
> find exactly which hosts are being SYN Flooded, the amount of packets per
> second, the TCP ports being opened and the source port(s) of the attack.
>
> Two programs which will assist you in this are:  tcpdump (cmdline) or
> ethereal (cmdline and X)
>
> Good luck
>
> > On 9/14/06, Donnell Lewis <donnell.lewis at icoretechnology.com> wrote:
> > > Did the 'ping' command check itself change from the 2 different
> > > versions ?  Check in checkcommands.cfg, see if the command definition
> is
> > > the same between the two.
> > >
> > > -DL
> > >
> > > On Thu, 2006-09-14 at 17:07 +0100, rob.moss at uk.bnpparibas.com wrote:
> > > > nagios-users-bounces at lists.sourceforge.net wrote on 14/09/2006
> 17:00:29:
> > > >
> > > > > Good morning,
> > > > >
> > > > > I have 2 nagios servers.  One is running 1.2 and the other is
> running
> > > > > 2.5.  Both are running in parallel while I migrate to the 2.5
> machine.
> > > > >  Our content switch is detecting that the 2.5 machine is SYN
> attacking
> > > > > hosts.  Both servers have very similar monitoring sets and similar
> > > > > configurations.  I have gone through the config and nothing stands
> > > > > out.  Obviously, the 2.5 machine is pounding the servers more
> heavily
> > > > > but I can't figure out why.  Below is my config.
> > > > >
> > > >
> > > > Good evening!
> > > >
> > > > <config snipped>
> > > >
> > > > What checks are you running against the server that is detecting the
> SYN
> > > > attacks?
> > > >
> > > > The config you posted is the general nagios config, we would need to
> see
> > > > the services.cfg portions for the affected host(s)
> > > >
> > > > Cheers
>
>
> This message and any attachments (the "message") is
> intended solely for the addressees and is confidential.
> If you receive this message in error, please delete it and
> immediately notify the sender. Any use not in accord with
> its purpose, any dissemination or disclosure, either whole
> or partial, is prohibited except formal approval. The internet
> can not guarantee the integrity of this message.
> BNP PARIBAS (and its subsidiaries) shall (will) not
> therefore be liable for the message if modified.
>
> **********************************************************************************************
>
> BNP Paribas Private Bank London Branch is authorised
> by CECEI & AMF and is regulated by the Financial Services
> Authority for the conduct of its investment business in
> the United Kingdom.
>
> BNP Paribas Securities Services London Branch is authorised
> by CECEI & AMF and is regulated by the Financial Services
> Authority for the conduct of its investment business in
> the United Kingdom.
>
> BNP Paribas Fund Services UK Limited is authorised and
> regulated by the Financial Services Authority
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list