Summary
Ignored, Refused and Aborted Connections are tracked in the Exinda. This article provides the differences between them.
Overview
In the Monitor > Service Levels, TCP Health graphs, there are various types of TCP connection states shown - aborted, refused and ignored. Each type of these correspond to the way that a TCP connection establishes and ends in the system, through use of flags in packets.
Aborted, Refused and Ignored connections sound very similar in terminology, but mean the following:
- Aborted - Connections were established, but were closed by a RST (reset) issued by either the client or server rather than a clean close. High numbers of aborted connections can point to network or server problems.
-
Refused - A SYN packet was observed and a RST or ICMP "connection refused" message was received in response. This usually means the server is up, but the application is unavailable or not working correctly. It can also indicate a TCP port scan is occurring.
-
Ignored - A SYN packet was observed, but no SYN-ACK response was received. This usually means the server is not responding, does not exist, is not accessible, or is ignoring the connection request. It can also indicate a TCP port scan is occurring.
Seeing a significant increase in either Refused or Ignored connections on the TCP Health Graph can indicate that there has been a port scan, application scan or intrusion attempt from other devices, including those from the outside. Monitoring this graph can help ensure that there has been no suspicious activity in the connections on the device.
Starting in v7.4.2, the 'Ignored' connections were hidden by default in order to help with controlling memory usage on the device. In v7.4.3, there was a toggle added to the CLI in order to turn this feature on or off. The command is [no] tcp ddos-ignore.
Priyanka Bhotika
Comments