Security, WIDS/WIPS and Aruba ECS

Reply
Contributor I
Posts: 25
Registered: ‎06-30-2009

Blacklist problem

Hi,

We have some problems with users blacklisted.
The laptop is working normally and free of viruses, but the system is blacklisted periodically, and the reason is "syn-flood".
The firewall configuration is:
Monitor ping attack Enabled 10/sec
Monitor TCP SYN attack Enabled 100/sec
Monitor IP sessions attack Enabled 140/sec

The log says thet the pc is blacklisted:
Feb 1 17:39:27 :124006: |authmgr| {2592855} TCP srcip=x.x.x.x srcport=59402 dstip=209.85.147.133 dstport=80, action=blacklist, policy=Monitor TCP SYN attack

I don´t know why is doing it.
Any ideas?

Regards
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Blacklist problem

Is it always the same users? It looks like they are browsing to Google, do they have some plug-in installed on their browser that's doing something funny?

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Contributor I
Posts: 25
Registered: ‎06-30-2009

Re: Blacklist problem

He is only working with google earth. The case is always with the same pc.
Is can´t see any way to resolve it.
Sometimes, users are blacklisted for virtual machine running in the pc or multiple downloads, but now I can´t see a reason for it.

Thanks
Aruba Employee
Posts: 455
Registered: ‎04-02-2007

Re: Blacklist problem

The problem is to the system it looks like a syn flood attack (http://en.wikipedia.org/wiki/SYN_flood). You either need to adjust the value to be higher or disable the feature if it's causing you trouble...

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks