z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZZ8677I

z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM)
SC27-3657-01

EZZ8677I
TRMD ATTACK EE XID timeout flood start: date time dipaddr= dipaddr timeoutthreshold= timeoutthreshold lastsip= lastsip sipcnt= sipcnt correlator= correlator probeid= probeid sensorhostname= sensorhostname

Explanation

An EE XID flood attack was detected by Intrusion Detection Services (IDS). This occurs when the number of EE XID timeouts, documented by message EZZ8675I, received in a one minute interval is equal to the EEXIDtimeout value. The EEXIDtimeout value is set in the action for the EE_XID_FLOOD IDS policy. If not set, the value is 100 for an active EE_XID_FLOOD IDS policy.

In the message text:
date
The date when the EE XID flood attack started.
time
The time when the EE XID flood attack started.
dipaddr
The destination IP address of the XID that starts the EE XID flood attack.
timeoutthreshold
The numbers of XIDs that timed out prior to entering the EE XID flood attack.
lastsip
The source IP address of the XID that started the EE XID flood attack.
sipcnt
The consecutive number of XIDs that timed out that have the same source IP address as the last timed out XID. If the previously timed out XID packet's source IP address is not the same as the last timed out XID packet's source IP address, the count will be 1.
correlator
The correlator for an EE XID timeout flood start condition.
probeid
The unique identifier of the probe detection point. See the intrusion detection services probeids in z/OS Communications Server: IP and SNA Codes for a description of the IDs probe IDs.
sensorhostame
The fully qualified host name of the IDS sensor.

System action

Processing continues.

Operator response

None.

System programmer response

A possible XID flood attack exists for the specified destination IP address. The lastsip and sipcnt provide information pertaining to the source of the XIDs. If the last source IP address (lastsip) is a valid partner EE endpoint and sipcnt is greater than one, check for problems at the source. If the sipcnt is one, check the syslogd for EZZ8675I messages that identify previous timeouts to this destination IP address. If the source IP address is valid, test the EE connectivity between the two EE endpoints by issuing the DISPLAY NET,EEDIAG,TEST=YES command. See z/OS Communications Server: SNA Operation for details.

User response

Not applicable.

Problem determination

None.

Source

z/OS® Communications Server TCP/IP: TRMD

Module

EZATRMD

Routing code

2, 8

Descriptor code

8, 9

Automation

Not applicable.

Example

TRMD ATTACK EE XID timeout flood start: 11/04/2010 01:54:12.32 dipaddr=  9.42.105.53 timeoutthreshold= 2 
lastsip= 9.42.105.50 sipcnt= 10 correlator= 23  probeid= 04130002 sensorhostname= HOST1.COMPANYA.COM

Procedure name

WriteLogEntries

Parent topic: EZZ8xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014