?
Solved

Checking for half open connections

Posted on 2004-08-08
8
Medium Priority
?
2,158 Views
Last Modified: 2007-12-19
Hi,

This is really an extension of my previous post. I managed to track down the issue behind high cpu utilization, which was indeed caused by a worm. The worm caused a lot of hosts to open and terminate connections to our servers, leaving them in the TIME_WAIT state. Some hosts had opened thousands of connections to the servers.

How do I track down these half-closed connections on the firewall? A "show conn " gives out a lot of detail. What do I need to look for?

Second question.

While I was trying to track down the infected hosts using a sniffer, a vendor suggested that I use the MSFC on the core switch as a source and filter it on the specific VLAN. How is this different from port mirroring?

The commands I used were

MSFC sniffing ----> set span (msfc) (destination port) filter (vlan_number)
Port sniffing   ----> set span (vlan_number) (destination port)

Each of these methods threw up a completely different set of statistics. What is the difference?
0
Comment
Question by:fullerms
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
8 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 80 total points
ID: 11750291
any statefull inspection firewall should manage this automatically, or better give some options like timeouts to close them.
On the other side, it depends on the implementation of your TCP/IP stack on the effected server how it handles such sockets, most likely the OS provides a timeout for such sockets in TIME_WAIT state too.
0
 
LVL 6

Author Comment

by:fullerms
ID: 11750479
Agreed. The firewall does have timeouts values for half open connections.

My question is, how do I check for half open connections on the firewall? At any given point of time, the firewall is handling 3 times the normal number of connections. We need information on half open connections to track down the offending IPs. How do I go about this?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11751154
> ..  how do I check for half open connections on the firewall?
read your docs of the firewall. There is no general answer, it's specific to your firewall.
0
Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

 
LVL 6

Author Comment

by:fullerms
ID: 11751563
The firewall is a Cisco Pix v 6.3(3).
0
 
LVL 6

Author Comment

by:fullerms
ID: 15898269
I wouldn't like to be called a miser, but I feel that a refund would be more appropriate. I did not get the answer that could have helped me.
0
 
LVL 20

Expert Comment

by:Venabili
ID: 15898337
You were pointed in the right direction what to read. You never said if you checked your documentation...
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses
Course of the Month13 days, 12 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question