High volume of DoS learning attack detected after sensor rebooting/upgrading
Last Modified: 2024-01-22 11:21:29 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
High volume of DoS learning attack detected after sensor rebooting/upgrading
Technical Articles ID:
KB91581
Last Modified: 2024-01-22 11:21:29 Etc/GMT Environment
Trellix Intrusion Prevention System (Trellix IPS)
Problem
When you reboot your Sensor, you see a high volume of DoS learning attacks detected, such as the following: TCP Control Segment Anomaly long-term average rate=7793.464(pkts/s), last_rate=0.000(pkts/s) not enough long-term traffic received to establish a reliable profile, blocking based on current traffic distribution only percentage of 'good' traffic blocked (estimate)=0.0% percentage of traffic blocked (total, estimate)=0.0% each line: block_flag, bin_index, IP_prefix/prefix_len, AS(%), LT(%), ST(%), ltR(ate), stR(ate) AS(%) -- percentage of the IP address space this bin occupies LT(%) -- percentage of long-term traffic that falls into this bin ST(%) -- percentage of short-term traffic that falls into this bin ltRate -- long-term traffic rate (in pkts/s) for this bin stRate -- short-term traffic rate (in pkts/s) for this bin block flag meaning: * -- blocked due to low long-term traffic, # -- blocked due to excessive current traffic, no flag -- not blocked Cause
The not enough long-term traffic received to establish a reliable profile message is due to the nature or pattern of the local network traffic. A hard-coded mechanism monitors whether enough traffic has passed through the Sensor to determine if the profile is reliable. When the Sensor decides it's unreliable, the DoS profile isn't loaded into the local memory of the Sensor. This check runs when the Sensor is rebooting.
SolutionThere are two options for recovery from this situation:
To keep the same profile, upload the profile file to the Manager and then download it back to the Sensor:
To rebuild the DoS profile from the beginning:
Affected ProductsLanguages:This article is available in the following languages: |
|