Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sonicwall NSA 5600 going down when connection limit per source IP hit

Hi,


We have a pair of Sonicwall NSA 5600 that are configured in Active/Standby

Recently we had some IPs in our datacenter that started causing TCP SYN attacks and we decided to limit the number of open connections per source IP they can have.


We have observed that when two source IP hit that limit, the Sonicwall start dropping traffic on all the other IPs that are unrelated, these are the logs we see:


Packet dropped; connection limit for this source IP address has been reached

Source IP address connection status: Connections at 90 percent

Possible SYN Flood on IF X12 - src: xxxxxx dst: yyyyyy



Is this an expected behavior? Can anyone advise us on this matter?


Thanks in advance,

Category: High End Firewalls
Reply
Tagged:

Answers

  • SaravananSaravanan Moderator

    Hi @FELART45,

    Thank you for visiting SonicWall Community.

    Yes, this would be an expected behavior if you have configured the access rule with specific Source IP address and Service set to Any. To overcome it, please specify the Service on the access rule based on the flooded port. This should do the trick.

    HTH. Let me know how it goes.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • felart45felart45 Newbie ✭

    We are not specifying any particular IP, since we want the limit to apply to all IPs that hit the threshold.



  • TKWITSTKWITS Cybersecurity Overlord ✭✭✭

    Thats your problem, your not limiting the access rules to only the traffic in question.

  • felart45felart45 Newbie ✭

    The traffic in question can come from any source IP, we don't know in advance when someone will initiate an attack, that's why the rule is applicable to any IP.

  • SaravananSaravanan Moderator

    Hi @FELART45,

    Thanks for the screenshot. I would say this is the firewall's expected behavior for the scenario to drop further connections post the defined value on the access rule.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Colleague of @felart45 here taking over for the next few days...

    So, in summary, since Any Service and Any IP is selected on that access rule, then if any single IP on our network hits the connection limit, then all further connections from all IPs are dropped, correct?


    A bit counter-intuitive to me as well @felart45 is not alone here :D In any case, in order to mitigate connections we should then select a specific service which will be limited. But will we not just run into the same issue, just with that specific service? Say we choose DNS as the service and Any IP and a limit of 1000. Then if a single IP in our network hits that cap, no other IPs would be able to perform DNS queries?


    What is the correct way to simply limit the number of connections to, well anything, from a single IP in order to mitigate network scanning, SYN floods, runaway network discovery and things of that nature? I'm personally still not understanding this rule editor / interface and I'm hoping you can explain this a bit better - thanks.!

  • TKWITSTKWITS Cybersecurity Overlord ✭✭✭
    edited March 19

    Think about what you are enabling. You have a rule (screenshotted) that says Any traffic from Any IP address (Source) in the DMZ can go to Any IP address using Any service (Destination) in the WAN.

    Since you are not specifying a Source IP (Any) address in the rule, enabling the connection limit will apply to ANY (meaning all) connections that the rule handles.

    If you were to specify a single Source IP (or group, or range) in the access rule, than enabling the connection limit will apply to only the specified source(or sources) connections that the rule handles.

    I can agree that the wording makes it sound like what you think it is.

    While that KB is dated, as there are newer OS versions now, there is also TCP flood protection settings that you can use.

    Also, you might consider playing with the 'Number of connections allowed (% maximum connections)' option. Letting a single rule take up 100% of your possible total connections is just recipe for an issue.

    Hope that helps, and good luck with that datacenter!

  • SaravananSaravanan Moderator

    Hi @ARNIJOHANNESSON,

    You are absolutely right with all your questions. If you want to mitigate security violations, please make sure the below KB article prescribed configuration in place.

    Hope this helps.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Sign In or Register to comment.