Manuals / Finisar / Computer Equipment / Network Card

Finisar Surveyor manual TCP SYN Attack, Rate of change of TCP SYN’s=150

Models: Surveyor

1 454

Download 454 pages 42.92 Kb

Page 257

Expert Features 10

Transport Layer

TCP SYN Attack

Counter

The TCP SYN Attack counter increments when a change in the number of SYN requests per second exceeds a threshold. A count of all TCP SYN Attack events displays in the Overview counters of Expert View. A threshold for this counter can be set in Expert Alarms.

Expert Symptom

TCP SYN Attack events are automatically logged as expert symptoms. The Symptom Summary field provides information about the rate of change for SYN requests. For example:

Rate of change of TCP SYN’s=150

The threshold value for the delta of SYN requests per second can be changed. The default is 100 SYN requests per second.

Diagnostic Details

__________________________________________________________________

Problem Description:

The threshold for the number of SYN connections on the segment has been exceeded. There may be a SYN attack.

__________________________________________________________________

Probable Cause(s):

1.An intruder is trying to break into your network.

2.The network is heavily overloaded.

3.Your Web server is under attack.

4.There may be a problem with the receiver’s TCP/IP stack.

5.There may be an overloaded switch or router.

__________________________________________________________________

Recommended Action(s):

1.Load balance your network.

2.If you see all the SYNs going to the same station, you may be under attack.

3.If you see too many SYN requests coming from unknown IP addresses, you need to use a firewall or some other means of authentication.

10-53

Image 257

Finisar Surveyor manual TCP SYN Attack, Rate of change of TCP SYN’s=150

Contents

Surveyor Finisar Software License Agreement Trademarks and CopyrightsLicense TermRestricted Rights Legend Limited Software WarrantyPatent and Copyright Indemnification Limitation of LiabilityCustomer Support FAX Customer Support PhoneInternet Address World-Wide Web Mailing AddressTable of Contents Surveyor Configuring SurveyorViews Resources and ModesCapture and Display Filters Transmit Specification10-1 Alarms10-15 10-58 Multi-QoS 11-1 10-10213-1 12-1Counters UtilitiesPre-Defined Filter Templates Implementation ProfileKeyboard Shortcuts Parser NamesList of Figures 10-1 List of Tables Application Layer Host Table View, Table Column Descriptions 11-21 11-8 Surveyor Introduction Function Description Surveyor FunctionsSurveyor Functions Introduction Protocols Supported Analyzer DevicesFinisar Analyzer Devices Finisar Device DescriptionXNS DECnet Phase AppleTalk Phase2Oracle Suite IPX/SPX Suite Banyan Vines SuiteIBM ISO Capture to Disk and THGsE Analyzer Support Whats New in ReleaseDisk Caching Capture ManagementNew and Enhanced Protocol Decodes Expanded Multi-QoS SupportSmnp Extended Agent Surveyor System Requirements System RequirementsRAM PIIDesktop PC Upgrading SurveyorSupported Analyzer Cards and Network Adapter Cards Installing Surveyor Installing Analyzer Hardware in a Desktop PC Installing Analyzer HardwareInstalling the THGm, Windows NT Installing THGm, Windows 2000/XPInstalling Analyzer Hardware in a Notebook PC Cdrom Installation Installing More Than One Analyzer Card in a Notebook PC Hardware/Software Compatibility Matrix Compatibility MatrixSurveyor Launching Surveyor Surveyor SystemDefault Account Names, Passwords and Privileges Basic Navigation Tips Surveyor Getting Started Module Toolbar Summary View Buttons and ToolbarsSurveyor Toolbar Buttons and Toolbars Detail View Toolbar Getting Started Data Views Toolbar Getting Started Surveyor Design window Filter Design ToolbarFilter States Design Toolbar Surveyor Capture View Toolbar Surveyor Getting Started File Formats Providing a Name Table to Surveyor Establishing Links for THGm Docking Windows Configuring the InterfaceCustomizing Views and Windows Capture View Display Options Configuring Surveyor Histogram Options Setting Histogram ColorsSetting the Histogram Download Size Setting Histogram Zoom FactorSetting the Monitoring View for a Module Choose Monitor View PreferencesTable Views Configuring Chart ViewsHardware Device Properties Module Settings PropertiesModule Setting Default Values Default Module SettingsBuffer Size Packet Slice Slicing SizeNon-Well-Known-Ports Mode Expert Analysis ModeStop-and-Save Capture Buffer ModesMonitor M-QoS Only Mode System SettingsConfiguring Ports to Scan WKP4620RSP Time Out value Configuring Remote CommunicationsProtocol Color Coding Setting Update TimersDisplay Timer Default Value Default Display Timer SettingsDisk Capture Location Disk OptionsCache File Location Configuring Counter Logging Configuring AlarmsHistory Log File Settings and Default Values Log Setting Mmddhhmm.ss Mmmonth ddday hhhour mmminute sssecondConfiguring a Multi-Port Tap or Switch Configuring a Multi-Port Tap or Switch Setting the Local COM Port for Taps and Switches Settings for Analyzer DevicesConnecting a Tap with THGs or THGsE Resetting an Analyzer DeviceUpdating an Analyzer Device Click the Reset Host/Image Upgrade buttonSurveyor.ini File Advanced ConfigurationCustomizing Expert Diagnostic Information Mapping= port num,short name,long name Assigning Names to Protocols MonitorMONITOR.INI Format Short name Port numLong name MONITOR.INI ExamplesMapping=2900,VIDEO,Video Audio Network Communicator Mapping=921,CXP,Company X ProtocolMapping=6063, XWIN6063,X Windows on port Monitoring Well-Known Ports How Surveyor Assigns Protocol Names12. Default Names for Non-WKP UDP Ports 11. Default Names for Non-WKP TCP PortsMonitoring Non Well-Known Ports Name TCP port valuesMapping=port num,ip addr,parser name,name Port num Assigning TCP or UDP Ports to Protocol ParsersIp addr Parser nameParser Names Surveyor Resource Browser Resources and ModesRemote Resources Software SurveyorHost Properties Dialog Box for Establishing an Alias Naming Remote IP Resources AliasesPrivilege Description Resource ProtectionRemote User Privileges Modes Settings option from the ModuleHardware Devices Surveyor Resource Modes Description Resource TypeHardware Device Capabilities Ndis Synchronized ResourcesHardware Device Capabilities Hints and Tips for Resources Surveyor Views Static Data Tab Description/Action Summary ViewModule Window Tabs Within Summary View Vlan Detail ViewDetail View Using Capture + Monitor Mode in Detail View Summary Pane Capture ViewCapture View Window Creating Filters from Capture View Configuring the Capture View DisplayExporting and Printing Decodes Display OptionsOther Options Histogram OptionsHistogram Display and Button Controls Histogram Color CodingViews Histogram Display Showing Colors Histogram Display, Large Capture Example Histogram Default ColorsHistogram Button Controls Sizing/Selecting Areas with the Mouse Histogram Mouse ControlsSaving Portions of the Data Right Mouse Options in the HistogramLine Graph or Stair Step Linear Scale or Logarithmic ScaleResume Analysis Packet EditorPacket Editor Buttons Button Description/ActionEditing in Decode View Data ViewsEditing in Hex View Ring Statistics View Token Ring OnlyMAC Statistics View Capture MAC Statistics View RxFrame Size Distribution View MAC Statistics View TxProtocol Distribution View ChartChart Button Description/Action Protocol Distribution View, Chart Buttons ProtocolsProtocol Distribution View, Chart Buttons Packets NETProtocol Distribution View, Graph Type Buttons Utilization/Error ViewDisplay Button Description/Action 10. Protocol Distribution View, Table Column Descriptions11. Host Table View, Table Column Descriptions Host Table ViewNetwork Layer Host Table View 12. Network Layer Host Table View, Table Column Descriptions Application Layer Host Table View Host Matrix View 14. Host Matrix View, Table Column Descriptions 15. Network Layer Matrix View, Table Column Descriptions Network Layer Matrix ViewApplication Layer Matrix View Vlan 16. Application Layer Matrix View, Table Column DescriptionsVlan View Table Column Description Address Mapping View17. Vlan View, Table Column Descriptions 18. Address Map View, Table Column Descriptions Duplicate Address View Expert plug-in only19. Duplicate Address View, Table Column Descriptions Vlan IDMulti-QoS View Multi-QoS software only Expert View Expert plug-in onlyApplication Response Time View Expert plug-in only Hints and Tips for Using Views Surveyor Filter Design window Getting Started with the Filter InterfacePress the Create/Modify Capture Filter Available Filter Templates box Creating Filters with Filter TemplatesAdd Port Numbers to Custom Filter Templates Sample Filter Design window is shown below Protocol and Frame Type Creating and Applying a ConversationStation Addresses ISL, Q+EV2Apply Conversation to Template Check Box Traffic Direction IndicatorSelecting Filter Templates Creating and Applying a Port NumberDefining Port Numbers Conversation Element DescriptionCustom Templates Based on Pre-Defined Templates Multiple Byte Patterns in Filter TemplatesCreating Custom Filter Templates Custom Templates Based on Specification of Byte Patterns Entering Values that Cross Byte Boundaries Bit-Level Filtering Creating Filter Template Combinations Filter CreationOperator Buttons for Template Combinations Description Filter ActionsNot Template Combination boxCapture Filter Actions Actions for Capture FiltersAction Description Packets until the buffer is %% full fieldDisplay Filter Actions Actions for Display FiltersCounter Conditions for Filters Frame Types Global Values that Affect Capture Filter ActionsCapture Filter Global Values Capture Filter Global DescriptionFrame types are shown in Table Multi-State and Multi-Statement FiltersExample Filter States Design Window Filter Structure GoTo Current State Filter StatesChanging States Changing Filter Operation Filter Statements Activating Capture Filters Capture and Display Filter DifferencesActivating Display Filters Filter Example, Capture Conversation Filter ExamplesSurveyor Filter Design Window, Template Combination Example Filter Example, Template CombinationSurveyor Filter Design Window, Capture TCP Port Example Filter Example, Capture TCP Port TrafficSurveyor Advanced Filter, Filter States Design Window Filter Example, Advanced FilterRules of the Capture or Display Filter Hints and Tips for Using Filters Filtering Tips Unique to THG-class Devices Transmit Specifications Transmit SpecificationDefined Streams List Box Transmit Specification Dialog BoxRadio Buttons and Fields for Defining a Stream Transmit Specification Control Buttons Transmission Mode and Status ControlsStream Buttons Stream Function ButtonsRepeating Frames Transmit Specification Control ButtonsControl Button Transmit Specification Function Surveyor Stream Modes Stream Mode Rate SettingBursts Stream ModesPacket Editor Transmission ModeSpecifying Transmit Data Packet Editor Button Editing Function Changing Fields Directly in the Dialog BoxPacket Type DA and SA FieldsPacket Size Data FieldCreating Templates Using TemplatesTransmitting Capture Files Transmit Specification ExamplesTransmit Specification Example, Packet Gaps Transmit Specification Dialog Box, Bursts Transmit Specification Example, BurstsHints and Tips for a Transmit Specification Surveyor Alarms Current Module Alarms Current Module AlarmsAlarms Mqos Alarm EditorAlarm Editor Description Multi-QoS Alarms Data Link Layer, Ethernet Expert AlarmsTransport Layer YES Using Alarms with Different DevicesThresholds and Alarms Alarm Actions Description Support by Host Type Alarm ActionsMail Settings Log File SettingsAlarm Actions SettingsSnmp Trap Settings Pager SettingsTrap Settings for THGs Trap Settings for Surveyor Hosts Hints and Tips for Alarms Viewing the Alarm List and the Alarm LogAlarm Example, Utilization Alarm ExamplesAlarm Example, MAC Errors Alarm Example, MAC ErrorsAlarm Example, Frame Size Alarm Example, Frame SizeAlarm Example, Call Jitter and Call Setup Time Alarm Example, VoIP Calls10. Alarm Example, Expert and Application Response Alarm Example, Expert and Application ResponseSurveyor Expert Features Getting Started with Expert View Expert System ViewsApplication Response Time View Duplicate Network Address ViewExpert Features Expert Overview Details Expert Overview Detail Table Example Layer Description Expert LayersExpert Application Layer Example 10-8 Expert Symptoms and Analyses by Layer Expert Analyses Tables in the Detail Area for Symptoms Expert Symptoms, Analyses, and Network EntitiesSymptoms Entities AnalysesTables in the Detail Area for Analyses Entities for the Transport Layer Example Network Lists for Entities Application/Session Lists for EntitiesTransport Lists for Entities Data Link Lists for Entities Expert Diagnosis Example Expert Diagnostic MessagesWorking with the Expert System Configuring the Expert SystemSetting Expert Alarms Module Settings for the Expert SystemWorking with Timestamps Exporting Expert DataPrinting Expert Data Working with Analyzer Devices Application Response TimeRate of change of SMB Mailslot Broadcasts=40 Application LayerExcessive Mailslot Broadcasts Login attempts=4 FTP Login AttemptsExpert Symptom Time passed since last announcement=4000 ms 3000 ms Missed Browser AnnouncementBetween 00000010.0207012303E3 and 302A9950.000000000001 NCP File RetransmissionNCP Read/Write Overlap Requests denied within 100 ms=5 NCP Request DeniedLoops on same request in 100 ms NCP Request LoopRate of change of NCP Server Busy=5 NCP Server BusyFile retransmission ratio is 8 / 28 = 28% NCP Too Many File RetransmissionsRequests denied ratio is 8 / 28 = 28% NCP Too Many Requests DeniedRequests loops ratio is 8 / 28 = 28% NCP Too Many Request LoopsNFS Retransmissions Http Post request not responded No Http Post ResponseSmtp server not responded No Server ResponseSlow Http GET response=3608 ms 2000 ms Slow Http GET ResponseSlow Http Post response=2918 ms 2000 ms Slow Http Post ResponseSlow FTP server connect=298 ms 200 ms Slow Server ConnectSlow Smtp server response=1258 ms 1000 ms Slow Server ResponseInvalid network name in tree connect SMB Invalid Network NameInvalid password SMB Invalid PasswordWins request not responded within 1000 ms Session LayerNo Wins Response Slow TNS server connect=298 ms 200 ms TNS Slow Server ConnectSlow TNS server response=238 ms 200 ms TNS Slow Server ResponseIdle Too Long Transport LayerStation 206.250.228.11 not responding Non Responsive StationSA=206.250.228.69 DA=206.250.228.11 TCP Checksum ErrorsTCP Fast Retransmission TCP Frozen Window 10-48 TCP Long Ack Acknowledgement number is less than the one before TCP Repeat AckTCP Retransmissions TCP RST Packets Rate of change of TCP SYN’s=150 TCP SYN AttackData length of 128 bytes exceeds last window size TCP Window ExceededCount Between 206.250.228.69/TCP/IP WKP1988 206.250.228.11/SMTP TCP Window ProbeExpert Diagnosis TCP Zero WindowRetransmission ratio is 49 / 50 = 98% Too Many RetransmissionsAddr=206.250.228.67 Network LayerDuplicate Network Address SA=206.250.226.11 DA=206.250.228.69 Hsrp CoupHsrp Errors Hsrp Resign Parameter Problem Icmp All ErrorsDestination Unreachable Source Quench RedirectIcmp Bad IP Header Cannot be reached by SA=206.250.228.11 DA=206.250.228.69 Icmp Destination Host Access DeniedIcmp Destination Host Unknown Icmp Destination Network Access Denied Icmp Destination Network Unknown Icmp Destination Unreachable 10-69 Icmp Fragment Reassembly Time Exceeded Icmp Fragmentation Needed D/F set Icmp Host Redirect Icmp Host Redirect for TOS Icmp Host Unreachable Icmp Host Unreachable for TOS Addr=206.250.228.69. Subnet mask=255.255.255.240 Icmp Inconsistent Subnet MaskIcmp Network Redirect Icmp Network Redirect for TOS Icmp Network Unreachable Icmp Parameter Problem Icmp Port Unreachable Icmp Protocol Unreachable Icmp Redirect Icmp Required IP Option Missing Icmp Source Quench Icmp Source Route Failed Icmp Time Exceeded Icmp Time to Live Exceeded Addr=255.255.255.255 Illegal Network Source AddressIP Checksum Errors TTL=1 SA=206.250.228.69 and DA=206.250.228.11 IP Time to Live ExpiringISL BPDU/CDP Packets Vlan ID=1036 ISL Illegal Vlan IDOspf Broadcasts RIP Broadcasts Rate of change of Router Broadcasts=5 Router StormAddr=255.23.252.6 Same Network AddressesSAP Broadcasts Total Router Broadcasts Rate of change of Topology=10 Unstable MSTAddr=0.0.0.0 Zero Broadcast AddressBad Frames MAC LayerRate of change of Bcast/Mcast Packets=500 Broadcast/Multicast StormsCRC Frame counter CRC error with more than 63 bytesRate of change of ARP Requests=20 Excessive ARPRate of change of Bootp/Dhcp Requests=25 Excessive BootpExcessive Broadcasts Excessive Collisions Excessive Multicasts Fragment Frame CRC error with less than 64 bytesAddr=FFFFFFFFFFFF Illegal MAC Source AddressJabber Frame CRC error with more than 1518 bytesUtilization=42% Network OverloadNew MAC Stations Oversized frame has more than 1518 bytes Oversized FrameOverload Frame Rate Overload Utilization Percentage Rate of change of Errors=450 Physical ErrorsRunt frame has less than 64 bytes Runt FrameAddr=00800F13A65B Same MAC AddressesTotal MAC Stations Hints and Tips for Expert Features Configuration dialog box Summary of Expert Counters and SymptomsResponse Time Alarm editor Summary of Expert Features Summary of Expert Features TOS ISL BPDU/CDP Surveyor TCP RST Surveyor Multi-QoS Protocols Supported by Multi-QoS Using Multi-QoS with Analyzer HardwareMulti-QoS User Interface Overview Channel View Table Call Summary Range TableAll Calls Table Summary Range Graphs Surveyor and Rtcp Jitter ValuesCall Tables for a Specific Range Call Details for a Single CallMulti-QoS Configuration Configuring Multi-QoSRefresh Options MQoS Window Management Alarm Log Monitor OnlyProtocol Type Timeout Value Call Filtering with Multi-QoS Multi-QoS Performance OptimizationRed Phone All Calls TableH323 All Calls Table Field Descriptions Field Descriptions for All Calls TableCall Range Graphs and Summaries Call Jitter, Call Rtcp Jitter, Call Setup TimeMulti-QoS Configuration, Call Jitter Ranges Multi-QoS Packets Dropped Graph Example Dropped Packets, Rtcp Dropped PacketsMulti-QoS Configuration, Packets Dropped Call Range Summary Field Descriptions Field Descriptions for Call Range SummariesVQMon Metrics Multi-QoS R-factor Example Ranges for R-factors Network R-factor User R-factor Multi-QoS Configuration, R-factor Ranges10. Multi-QoS Utilization Graph Example Utilization Graph11. Example Call Details Window H.323 Field Descriptions for Call DetailsFID Sccp Call Field DescriptionsField Name Description H.323 Call Field DescriptionsSIP Call Field Descriptions Field Name 10. Unknown Call Field Descriptions Channel Table Details12. Channel Table Example 11. H.323, SIP, or Unknown Channel Table Column Descriptions Multi-QoS 12. Sccp Channel Table Column Descriptions Playback PCMU/PCMA Data Filtering on Single ChannelsCall Playback Customizing All Calls or Range Summary Tables Customizing Multi-QoS Table Displays14. Multi-QoS Channel Table View Options, Sccp Example Customizing Channel TablesChoose Export Multi-QoS Data... from the File menu Exporting Multi-QoS DataExporting All Multi-QoS Data to CSV Format Exporting a Single Multi-QoS Table to CSV Format 11-34 Counter Type Description Packet CountersMAC Layer Counter Types Custom Counters Error CountersCounters Last frame received Expert Counters Network Unknown, Destination Host Unknown, Destination Net Overload Utilization Percent Surveyor Counter Log File Overview Multi-QoS CountersLog Directory Structure Utilities Name Table Utility Utilities Building a Name Table From the Network NIS2NAM output-name-table NIS-to-Name Table Conversion UtilityInternet Advisor Translator Utility Sniffer Translator UtilityGet Version Information Utility Sniffer Translator Utility, Tool Menu OptionsFrom the Tools menu, choose Merge Histogram Files Convert Capture Files to Histogram FilesMerge Histogram Files Logging Utilities Extract Frames From a File Using a FilterExport Utilities Exporting PacketsExporting to Optimal CSV Format Exporting Tables to CSV Format or Graphs to a BitmapChoose Export to Optimal Performance from the File menu Exporting Counter Log Files to Excel13-11 13-12 How Resources Use Buffers BuffersTable A-1. Buffer Types Used By Surveyor Buffer Type DescriptionResource Buffer Usage Table A-2. Resource Use of BuffersTable A-4. Hardware Transmit Functions Hardware DependenciesTable A-3. Hardware Real-Time Functions Table A-6. Hardware Connectivity Table A-5. Hardware Capture FunctionsCaptured Packets About Ndis ModeCapture Rate / Transmit Speed CountersSet Capture Buffer and Packet Slicing Size Ndis Configuration OptionsSetting the Interface Filter Templates Pre-Defined Filter TemplatesMacdabroadcast ARPHEX Fffffffffff MacdamulticastIcmp EigrpIgmp DECSAP IPX RIP IPXRsvp FTP DNS TCPHttp ImapSmtp SccpTCP TelnetDNS UDP DhcpMgcp UDP NB-DATAGRAMRIP UDP NTPSIP SnmpHEX DsapHEX F0F0 HEX E0E0 NmpiHEX AAAA03 SnapSnaparp SnapcdpIsldns TCP IslarpIsleigrp IslftpHEX Ffffffffffff IslldapHEX 01005EFFFFFF Islmgcp TCPIslssp IslsmtpIsltcp IsltelnetHEX 0B HEX 0CHEX 0D HEX 0F HEX 2AHEX 0E Nonmac Function Keys Keyboard ShortcutsStandard and Navigational Keys Keyboard Shortcuts Surveyor Table D-1. Parser Names, DLC Suite Recognized Parser NamesParser Name Protocol Table D-2. Parser Names, Applications and OthersTable D-4. Parser Names, Banyan Suite Table D-3. Parser Names, Apple Talk SuiteParser Name Protocol Name Table D-7. Parser Names, Fujitsu Suite Protocol Name Table D-5. Parser Names, Cisco Suite Protocol NameTable D-6. Parser Names, DECnet Suite Protocol Name Table D-9. Parser Names, Internet Suite Table D-8. Parser Names, IBM SuiteTable D-9. Parser Names, Internet Suite Protocol Name Table D-11. Parser Names, Netware Suite Table D-10. Parser Names, Internet Next Generation SuiteTable D-13. Parser Names, XNS Suite Protocol Name Table D-12. Parser Names, PPP Suite Protocol NameTable D-15. Parser Names, ITU Codecs Table D-14. Parser Names, H.323 SuiteTable D-19. Parser Names, VPN Suite Protocol Name Table D-17. Parser Names, Other Multimedia Protocol NameTable D-18. Parser Names, Intel Suite Protocol Name Surveyor Glossary Alarm Browser Avvid Capture Mode Dram Expert View Log Files Ndis NIS Pause Sccp Token Error Transmit Specification WKP Index Index-2 Index Index-4 Index-5 Index-6 Index-7 Index-8 Index-9 Index-10 Index-11 Index-12 Index-13 Index-14