High number of New Intercepted Connections


Article ID: 170088


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


This article describes an issue where increases in new connections by the proxy are unexpectedly experienced. When this occurs, there is a possibility for elevation in CPU overhead while other statistics such as bandwidth, user count, HTTP workers and active connections remain relatively low.

Note: In most scenarios, CPU values are typically found to climb in relation to TCPIP (for more information to refer to article TECH241147).




The most likely cause of this issue is a malware, software or script that is running on one or several client machines and is creating thousands of connection per minute.
In order to find out what IP/s may be causing this traffic, it is encouraged to create three snapshots files that should contain this information in more detail.
The snapshots should be created using these advanced URLs:

  • /TCP/users
  • /TCP/Connections
  • /Diagnostics/CPU_Monitor/Statistics/Advanced

Information on how to create snapshot files can be found in this article: TECH241685

A good way to ensure the connections are being blocked is by using the Attack Detection feature. This feature will drop connections that exceed the specified threshold. For implementation of this feature refer to the SGOS Administration Guide and the Command Line Interface Reference Guide.