debug packet syntax error hosed my PIX?

Discussion in 'Cisco' started by googlenews@claireandjoe.com, Feb 6, 2006.

  1. Guest

    This is insane....we thought our network was being DDoS'ed today with
    half-opened SYN connections to all our webservers, but reviewing
    syslogs just before things went haywire it looks like we may have
    DoS'ed ourself with bad syntax in "debug packet" command.

    Syslog shows some valid debug packet:

    debug packet outside dst 192.168.1.1

    then there's this one:

    debug packet outside dst 69..0 netmask 255.255.255.0

    Yes, "69..0 netmask 255.255.255.0"

    CPU almost immediately went to 99%, and our IDSes showed a bunch of
    half-open SYN connections.

    I'm afraid to test this in production again, but has anyone seen this
    before? Any comments (aside from the usual: check your syntax,
    Stupid)? :)

    Joe
     
    , Feb 6, 2006
    #1
    1. Advertising

  2. <> wrote in message
    news:...
    > This is insane....we thought our network was being DDoS'ed today with
    > half-opened SYN connections to all our webservers, but reviewing
    > syslogs just before things went haywire it looks like we may have
    > DoS'ed ourself with bad syntax in "debug packet" command.
    >
    > Syslog shows some valid debug packet:
    >
    > debug packet outside dst 192.168.1.1
    >
    > then there's this one:
    >
    > debug packet outside dst 69..0 netmask 255.255.255.0
    >
    > Yes, "69..0 netmask 255.255.255.0"
    >
    > CPU almost immediately went to 99%, and our IDSes showed a bunch of
    > half-open SYN connections.
    >
    > I'm afraid to test this in production again, but has anyone seen this
    > before? Any comments (aside from the usual: check your syntax,
    > Stupid)? :)
    >
    > Joe
    >


    I think your PIX thinks that you are trying to mix IPv6 address (69..0) with
    IPv4 subnet mask. Yes, it could be ugly and unpredictable.

    Good luck,

    Mike
    www.ciscoheadsetadapter.com
     
    CiscoHeadsetAdapter.com, Feb 7, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Christopher Marshall

    pix 515:debug packet

    Christopher Marshall, Jan 14, 2004, in forum: Cisco
    Replies:
    1
    Views:
    5,340
    Rik Bain
    Jan 14, 2004
  2. kev
    Replies:
    1
    Views:
    7,068
    micke
    Sep 21, 2004
  3. arme35
    Replies:
    3
    Views:
    1,677
  4. John
    Replies:
    2
    Views:
    1,581
    Dom Wilkinson
    Feb 15, 2006
  5. lfnetworking
    Replies:
    3
    Views:
    4,920
    lfnetworking
    Aug 27, 2006
Loading...

Share This Page