Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2165
  • Last Modified:

Checking for half open connections

Hi,

This is really an extension of my previous post. I managed to track down the issue behind high cpu utilization, which was indeed caused by a worm. The worm caused a lot of hosts to open and terminate connections to our servers, leaving them in the TIME_WAIT state. Some hosts had opened thousands of connections to the servers.

How do I track down these half-closed connections on the firewall? A "show conn " gives out a lot of detail. What do I need to look for?

Second question.

While I was trying to track down the infected hosts using a sniffer, a vendor suggested that I use the MSFC on the core switch as a source and filter it on the specific VLAN. How is this different from port mirroring?

The commands I used were

MSFC sniffing ----> set span (msfc) (destination port) filter (vlan_number)
Port sniffing   ----> set span (vlan_number) (destination port)

Each of these methods threw up a completely different set of statistics. What is the difference?
0
fullerms
Asked:
fullerms
  • 3
  • 2
1 Solution
 
ahoffmannCommented:
any statefull inspection firewall should manage this automatically, or better give some options like timeouts to close them.
On the other side, it depends on the implementation of your TCP/IP stack on the effected server how it handles such sockets, most likely the OS provides a timeout for such sockets in TIME_WAIT state too.
0
 
fullermsAuthor Commented:
Agreed. The firewall does have timeouts values for half open connections.

My question is, how do I check for half open connections on the firewall? At any given point of time, the firewall is handling 3 times the normal number of connections. We need information on half open connections to track down the offending IPs. How do I go about this?
0
 
ahoffmannCommented:
> ..  how do I check for half open connections on the firewall?
read your docs of the firewall. There is no general answer, it's specific to your firewall.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
fullermsAuthor Commented:
The firewall is a Cisco Pix v 6.3(3).
0
 
fullermsAuthor Commented:
I wouldn't like to be called a miser, but I feel that a refund would be more appropriate. I did not get the answer that could have helped me.
0
 
VenabiliCommented:
You were pointed in the right direction what to read. You never said if you checked your documentation...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now