The Refused Sessions sensor looks for a pattern in refused sessions. Refused session counts may indicate a SYN attack or a server that cannot respond to all requests.
Troubleshooting a Refused Sessions Alert
A server tends to stop fulfilling and refusing sessions when it reaches its capacity to handle more data. Sessions also may be refused because a load balancer is sending heart beat messages to the servers.
Refused Sessions counts also may result when legitimate traffic overloads a server that has inadequate resources for additional TCP session requests.
An alert may indicate a SYN or RST flood. If this is the case, the anomaly should be visible in the Enterprise-Wide Correlated Anomalies view.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|