EZZ8671I

Explanation
 A global TCP stall condition has been detected
by Intrusion Detection Services (IDS). The global TCP stall condition
is detected for a TCP/IP stack when at  least 50% of active TCP connections
are stalled and at least 1000 TCP connections are active.
 In
the message text: date
The date when the global TCP stall condition was detected.
time
The time when the global TCP stall condition was detected.
totalconn
The total number of active TCP connections when the global TCP
stall condition was detected.
stalledpct
The percentage of active TCP connections that were stalled at
the time the global TCP stall condition was detected. A TCP connection
is considered stalled if one or more of the following  conditions
are true: The TCP send window size is less than 256 or is less than the
smaller of the largest send window that has been seen for the connection
and the default MTU. The TCP send window size is set based on values
provided by the TCP peer. The default MTU for IPv4 is 576. The default
MTU for IPv6 is 1280.
The TCP send queue is full and data is not being retransmitted.

smallwindowpct
The percentage of active TCP connections that are stalled because
the TCP send window size is less than 256 or is less than the smaller
of the largest send window that has been seen for the connection and
the default MTU. A TCP connection can be stalled due to multiple conditions.
For example, a TCP connection might be included in both the smallwindowpct value
and the writeblockpct value.
writeblockpct
The percentage of active TCP connections that are stalled because
the TCP send queue is full and data is not being retransmitted. If
data is being retransmitted, there might be a network outage. A TCP
connection can be stalled due to multiple conditions. For example,
a TCP connection might be included in  both the smallwindowpct value
and the writeblockpct value.
action
The action specified in the policy for the Global TCP Stall attack
type. The action parameter can be one of the following
values: resetconn
All stalled TCP connections will be reset. If you requested detailed
syslogd messages for the Global TCP Stall attack type, message EZZ8673I will be generated for
each stalled connection that is reset.
noresetconn
Stalled TCP connections will not be reset. If you requested detailed
syslogd messages for the Global TCP Stall attack type, message EZZ8674I will be generated for
each stalled connection.

correlator
The correlator for a global TCP stall condition. Message EZZ8672I is issued, with the
same correlator value, when the global TCP stall
condition is exited. The global TCP stall condition is exited when
the number of stalled connections drops to 25% of active TCP connections
or the number of stalled connections drops to 450 or fewer. If you
requested detailed syslogd messages for the Global TCP Stall attack
type, message EZZ8673I or EZZ8674I is issued, with the same correlator value,
for each stalled connection.
probeid
The unique identifier of the probe detection point. See the intrusion detection services probeids  in z/OS Communications Server: IP and SNA Codes for a description of the IDS probe IDs.
sensorhostname
The fully qualified host name of the IDS sensor.

System action
 Processing continues.
 If the value displayed
for action is resetconn, all stalled TCP connections
will be reset. If you requested detailed syslogd messages for the
Global TCP Stall attack type, message EZZ8673I will be generated for
each stalled connection that is reset.
 If the value displayed
for action is noresetconn, stalled TCP connections
will  not be reset. If you requested detailed syslogd messages for
the Global TCP Stall attack type, message EZZ8674I will be generated
for each stalled connection.

Operator response
 Use the values in this message to determine
whether the global TCP stall condition was caused by connections whose
TCP send window size is less than 256 or is less than the smaller
of the largest send window that has been seen for the connection and
the default MTU, or by connections whose TCP send queues are full
and data is not being retransmitted, or by a combination of both types
of contributing factors.
 If you requested detailed syslogd
messages for the Global TCP Stall attack type, either message EZZ8673I
or message EZZ8674I was generated for each stalled connection that
contributed to the detection of the global TCP stall condition. See
those messages for information about the connections that contributed
to the global TCP stall.
 If you did not request detailed syslogd
messages for the Global TCP Stall attack type and the value displayed
for action is noresetconn, the connections contributing
to the attack were not reset. Use the Netstat ALL/-A command to display
connection information. The connections that are stalled are indicated
by the value Yes in the SendStalled report field.
 If you are
experiencing a network outage, the global TCP stall might not be an
indication of an attack; otherwise, the global TCP stall might have
been caused by an attack or by a problem with a remote application.
 Analyze
the data for the connections that contributed to the global TCP stall.
If the remote IP address is the same for many of the connections,
determine whether there is a problem with the application at that
remote IP address or whether that remote IP address is being used
to launch an attack.
 If the value displayed for action is
noresetconn, use the Netstat IDS/-k command to monitor the number
of TCP connections that are stalled and the percentage of active TCP
connections that are stalled.

System programmer response
 No action is needed.

User response
 Not applicable.

Problem determination
 See the operator response.

Source
 z/OS® Communications
Server TCP/IP: TRMD

Module
 EZATRMD

Routing code
 *

Descriptor code
 *

Automation
 This message is written to syslogd. Automation
on this message will provide you with an indication of when a global
TCP stall attack is detected.

Example
  EZZ8671I TRMD Global TCP Stall entered: 06/09/2010 17:11:28.55 totalconn=1000 stalledpct= 50 smallwinpct= 25
writeblkpct= 35 action= resetconn correlator= 151 probeid= 040B0001 sensorhostname= HOST1.COMPANYA.COM