FAKE_SESSION DDoS Alert in Avi Load Balancer
search cancel

FAKE_SESSION DDoS Alert in Avi Load Balancer

book

Article ID: 405055

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

  • Avi Service Engine (SE) may trigger a FAKE_SESSION DDoS alert when it receives unexpected TCP sequence or acknowledgment numbers during a session, suggesting abnormal or potentially malicious traffic patterns.
  • This condition is typically triggered when incoming packets do not match the expected TCP state, either from the client or the server side.
  • VS Events will show this along with some source ips.

Cause

  • If there is a firewall, or any intermediate device between the client and the Avi Virtual Service, it may drop or manipulate packets under certain conditions .(Firewall IP will also show under event_details)

  • Attackers may send TCP packets with forged sequence or acknowledgment numbers.

  • Certain clients or embedded devices may have flawed TCP implementations.(Examples: sending ACKs for unsent data, retransmitting corrupted SEQ numbers, etc.)

Resolution

1.Client to Virtual Service (VS) Direction

  • The VS receives packets with incorrect sequence numbers from the client.

  • Example:

    • VS has ACK'd up to raw ACK number 2618035085.

    • But it receives a packet with sequence number 1701396855, which is not the expected next sequence.

  •  Indicates significant packet loss or desynchronized TCP flow.

  • This deviation may trigger the FAKE_SESSION detection logic in the SE dataplane.

 

 2. VS to Client Direction

  • The VS receives ACKs from the client that acknowledge more data than was sent.

  • Example:

    • VS sends a packet with raw sequence number 1701410630.

    • Client responds with an ACK for 2618035314beyond what VS has actually transmitted.

  • This results in a FAKE_SESSION alert being raised.

 This could mean:

  • A client-side anomaly or spoofing attempt

  • A proxy, or poorly behaving TCP stack manipulating sequence/ACKs

 

Confirmation Using tcpstats

You can validate this behavior by checking tcpstats counters on the VirtualService:

Login to Controller shell:

show virtualservice <name> tcpstats

Look for:

ack_too_much_packets_received |  <>  

A very high value  confirms that the SE received many packets where the ACK was beyond what it actually sent, reinforcing the FAKE_SESSION diagnosis.


Conclusion

We recommend the customer to review their network infrastructure and client-side behavior to identify potential causes, such as TCP manipulation, packet drops, unexpected sequence numbers from the client or ACKs for data not yet transmitted by the SE.

Powered by Wolken Software