High number of New Intercepted Connections

book

Article ID: 170088

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

This article describes an issue where increases in new connections by the proxy are unexpectedly experienced. When this occurs, there is a possibility for elevation in CPU overhead while other statistics such as bandwidth, user count, HTTP workers and active connections remain relatively low.

Note: In most scenarios, CPU values are typically found to climb in relation to TCPIP (for more information to refer to article TECH241147).

 

 

Resolution

The most likely cause of this issue is a malware, software or script that is running on one or several client machines and is creating thousands of connection per minute.
In order to find out what IP/s may be causing this traffic, it is encouraged to create three snapshots files that should contain this information in more detail.
The snapshots should be created using these advanced URLs:

  • /TCP/users
  • /TCP/Connections
  • /Diagnostics/CPU_Monitor/Statistics/Advanced

Information on how to create snapshot files can be found in this article: TECH241685

A good way to ensure the connections are being blocked is by using the Attack Detection feature. This feature will drop connections that exceed the specified threshold. For implementation of this feature refer to the SGOS Administration Guide and the Command Line Interface Reference Guide.