Security, WIDS/WIPS and Aruba ECS

Reply
Contributor I

Blacklist problem

Hi,

We have some problems with users blacklisted.
The laptop is working normally and free of viruses, but the system is blacklisted periodically, and the reason is "syn-flood".
The firewall configuration is:
Monitor ping attack Enabled 10/sec
Monitor TCP SYN attack Enabled 100/sec
Monitor IP sessions attack Enabled 140/sec

The log says thet the pc is blacklisted:
Feb 1 17:39:27 :124006: |authmgr| {2592855} TCP srcip=x.x.x.x srcport=59402 dstip=209.85.147.133 dstport=80, action=blacklist, policy=Monitor TCP SYN attack

I don´t know why is doing it.
Any ideas?

Regards
Aruba Employee

Re: Blacklist problem

Is it always the same users? It looks like they are browsing to Google, do they have some plug-in installed on their browser that's doing something funny?

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Contributor I

Re: Blacklist problem

He is only working with google earth. The case is always with the same pc.
Is can´t see any way to resolve it.
Sometimes, users are blacklisted for virtual machine running in the pc or multiple downloads, but now I can´t see a reason for it.

Thanks
Aruba Employee

Re: Blacklist problem

The problem is to the system it looks like a syn flood attack (http://en.wikipedia.org/wiki/SYN_flood). You either need to adjust the value to be higher or disable the feature if it's causing you trouble...

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks