Symantec Management Platform (Notification Server)

 View Only

  • 1.  Denial Of Service Attack

    Posted May 04, 2011 06:38 AM

    Hi Guys has anyone seen anything like this, we are seeing Event ID 2025 source SRV being logged in the System Event Log of the SQL Server with the Altiris database at around 8:00am every day:

    "The server has detected an attempted Denial-Of-Service attack from client (Altiris Application Server), and has disconnected the connection."

     

    The alert is being generated because the Altiris Application server is making a large number of concurrent connection requests to the database server.

    Event ID 2025 is logged in the System log on a Windows Server 2003-based computer.

     

    We could raise the maximum number of network requests that are allowed for the database server as per this Microsoft article http://support.microsoft.com/kb/898468 but we want to understand the reason for this alert being generated, as we are not seeing it from any other servers.

     

    Thanks

     

    Shaun



  • 2.  RE: Denial Of Service Attack

    Posted May 04, 2011 09:42 AM

    How many systems do you have? What time of the day do users typically come to the office and connect to the network? What policies do you have that run either a) at system startup or b) initiate around or at the time in question.



  • 3.  RE: Denial Of Service Attack

    Posted May 04, 2011 11:20 AM

    Thanks for the response Jim, I was thinking along those line myself.

    We have around 800 PCs of which 600 or so have the agent on them, I would guess that between 8.30 and 9.30 would be our busiest times for logins as most people are starting their day then.

    We haven't really got anything which runs at those times specifically, we are in the fairly early stages of setting up Altiris and haven't go round to doing much at all with policies yet.

    We are currently running CMS7 but are only using the management agent and deployment and Inventory plugin install features which are set to check and install every few hours on a daily basis if in the appropriate filter group.

    This problem has only started a few weeks ago previous to that it seemed to be ok. I can't think what might be causing this.

    Is this something that anyone else has seen before?

     

    Thanks



  • 4.  RE: Denial Of Service Attack

    Posted May 06, 2011 05:12 PM

    I would check scheduled tasks.  What runs at 8:00 a.m. every day?  Just open up scheduled tasks on the Windows Server 2003 NS host.