z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZZ8674I

z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM)
SC27-3657-01

EZZ8674I
TRMD TCP connection would have been reset because Global TCP Stall attack detected: date time connid= connid jobname= jobname lipaddr= lipaddr lport= lport ripaddr= ripaddr rport= rport sendqdata= sendqdata windowsize= windowsize correlator= correlator probeid= probeid sensorhostname= sensorhostname

Explanation

A global TCP stall condition was detected and the specified connection was stalled. The connection was not reset because Intrusion Detection Services (IDS) policy for the Global TCP Stall attack type specified that stalled connections should not be reset.

A global TCP stall condition is detected for a TCP/IP stack when at least 50% of active TCP connections are stalled and at least 1000 TCP connections are active. At the time the condition was detected, if a policy action of reset connections had been configured, all stalled TCP connections would have been reset.

A TCP connection is considered stalled if one or more of the following conditions are true:
  • The TCP send window size is less than 256 or is less than the smaller of the largest send window that has been seen for the connection and the default MTU. The TCP send window size is set based on values provided by the TCP peer. The default MTU for IPv4 is 576. The default MTU for IPv6 is 1280.
  • The TCP send queue is full and data is not being retransmitted.
In the message text:
date
The date when the condition was detected.
time
The time when the condition was detected.
connid
The ID of the connection.
jobname
The job name of the connection.
lipaddr
The local IP address of the connection.
lport
The local port of the connection.
ripaddr
The remote IP address of the connection.
rport
The remote port of the connection.
sendqdata
The amount of data queued to the TCP send queue.
windowsize
The size of the TCP window. The TCP send window size is set based on values provided by the TCP peer.
correlator
The correlator for a global TCP stall condition. Message EZZ8671I is issued, with the same correlator value, when the global TCP stall condition is detected. Message EZZ8672I is issued, with the same correlator value, when the global TCP stall condition is exited. Additional EZZ8674I messages are issued, with the same correlator value, for other connections that were stalled at the time that the global TCP stall condition was detected.
probeid
The unique identifier of the probe detection point. See the intrusion detection services probeids in z/OS Communications Server: IP and SNA Codes for a description of the IDS probe IDs.
sensorhostname
The fully qualified host name of the IDS sensor.

System action

Processing continues.

Operator response

The connection was determined to be stalled for one or both of the following reasons:
  • The TCP send queue for the connection was full and data was not being restransmitted. Use the sendqdata value in this message to determine the amount of data that was queued to the TCP send queue at the time that the global TCP stall condition was detected.
  • A window advertisement was received from the peer with a window size that is less than 256 or is less than the smaller of the largest send window that has been seen for the connection and the default MTU. Use the windowsize value in this message to determine the last window size received from the peer at the time that the global TCP stall condition was detected.

If you are experiencing a network outage, the global TCP stall that caused this message might not be an indication of an attack; otherwise, the global TCP stall might have been caused by an attack or by a problem with a remote application.

Analyze the data in this message and the EZZ8674I messages issued for other connections that contributed to the global TCP stall. If the remote IP address is the same for many of the connections, determine if there is a problem with the application at that remote IP address or if that remote IP address is being used to launch an attack.

System programmer response

No action is needed.

User response

Not applicable.

Problem determination

See the operator response.

Source

z/OS® Communications Server TCP/IP: TRMD

Module

EZATRMD

Routing code

*

Descriptor code

*

Automation

This message is written to syslogd. Automation on this message will provide you with information about the TCP connections that contribute to the detection of a Global TCP Stall attack.

Example

EZZ8674I TRMD TCP connection would have been reset because Global TCP Stall attack detected: 06/09/2010
17:11:28.55 connid= 00000125 jobname= USER15 lipaddr= 4.4.4.4 lport= 1165 ripaddr= 7.7.7.7 rport= 5000 
sendqdata= 500 windowsize= 0 correlator= 137 probeid= 040B0001 sensorhostname= HOST1.COMPANYA.COM
Parent topic: EZZ8xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014