Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
EZZ8671I z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM) SC27-3657-01 |
|
EZZ8671I TRMD Global TCP Stall entered: date time totalconn= totalconn stalledpct= stalledpct smallwinpct= smallwindowpct writeblkpct= writeblockpct action= action correlator= correlator probeid= probeid sensorhostname= sensorhostname ExplanationA global TCP stall condition has been detected by Intrusion Detection Services (IDS). The global TCP stall condition is detected for a TCP/IP stack when at least 50% of active TCP connections are stalled and at least 1000 TCP connections are active. In
the message text:
System actionProcessing continues. If the value displayed for action is resetconn, all stalled TCP connections will be reset. If you requested detailed syslogd messages for the Global TCP Stall attack type, message EZZ8673I will be generated for each stalled connection that is reset. If the value displayed for action is noresetconn, stalled TCP connections will not be reset. If you requested detailed syslogd messages for the Global TCP Stall attack type, message EZZ8674I will be generated for each stalled connection. Operator responseUse the values in this message to determine whether the global TCP stall condition was caused by connections whose TCP send window size is less than 256 or is less than the smaller of the largest send window that has been seen for the connection and the default MTU, or by connections whose TCP send queues are full and data is not being retransmitted, or by a combination of both types of contributing factors. If you requested detailed syslogd messages for the Global TCP Stall attack type, either message EZZ8673I or message EZZ8674I was generated for each stalled connection that contributed to the detection of the global TCP stall condition. See those messages for information about the connections that contributed to the global TCP stall. If you did not request detailed syslogd messages for the Global TCP Stall attack type and the value displayed for action is noresetconn, the connections contributing to the attack were not reset. Use the Netstat ALL/-A command to display connection information. The connections that are stalled are indicated by the value Yes in the SendStalled report field. If you are experiencing a network outage, the global TCP stall might not be an indication of an attack; otherwise, the global TCP stall might have been caused by an attack or by a problem with a remote application. Analyze the data for the connections that contributed to the global TCP stall. If the remote IP address is the same for many of the connections, determine whether there is a problem with the application at that remote IP address or whether that remote IP address is being used to launch an attack. If the value displayed for action is noresetconn, use the Netstat IDS/-k command to monitor the number of TCP connections that are stalled and the percentage of active TCP connections that are stalled. System programmer responseNo action is needed. User responseNot applicable. Problem determinationSee the operator response. Sourcez/OS® Communications Server TCP/IP: TRMD ModuleEZATRMD Routing code* Descriptor code* AutomationThis message is written to syslogd. Automation on this message will provide you with an indication of when a global TCP stall attack is detected. Example
|
Copyright IBM Corporation 1990, 2014
|