Methodolgy to ID source of DOS attack

Cirrocumulus

Apr 30, 2010

Mmm..... What the BigIP is doing is sending a RST packet because it's recieved a tcp packet for a connection that doesn't exist, and the recieved packet DOES NOT have the SYN flag set... In this respect the F5 is behaving exactly like any other IP host... If an IP stack recieves a packet without the SYN flag set for a connection that doesn't eist in the connection table, the host sends back a RST to tell the sending host that the connection doesn't exist and they need to reset their state.

The best way to diagnose this would IMO be a two parter... First perform a tcpdump looking for RST packets... Sonce the F5 is rate limiting to 250/sec, there should be plenty to see... Have a look at the destination IP... Then perform a tcpdump filtering just on that IP address... You'll then have all the info on what the host is sending (Valid and invalid packets) and what's being sent back.

It's always possible that this is simply due to a genuine fault... One reason I can think of is possibly you just had a failover, and these packets are destined for a VS that doesn't have mirroring enabled.

Forum Discussion

Methodolgy to ID source of DOS attack

Recent Discussions

URL

Big-IP Next 20.2.0-2.375.1+0.0.43 iRule count problem

Problems connecting to vpn after upgrading to ubuntu 24.04

Wildcard SSL Certificate Deployment on F5 LTM

iRule resulting in too many redirects

Related Content

The HTTP/2 CONTINUATION frame attack

ESRP Strategies: DNS Water Torture Attack

Application attack from different source IPs

Juice jacking attack and State-funded attacks - April 15th - 21st - This Week in Security

Real Attack Stories: Bank Gets DDoS Attacked