Novell Documentation: Novell BorderManager 3.8

Responding to Alerts

Novell BorderManager 3.8 Alert monitors server performance, license acquisition for licensed Novell BorderManager 3.8 services, security, and Proxy Services availability.

For information on specific alerts:

The following table describes some recommended responses to the Novell BorderManager 3.8 alerts:

Alert	Recommended Actions
Disk space shortage	Reduce the size and number of log files. Add more disk space, if necessary.
Memory shortage	Check server resources using monitor.nlm to determine whether a module is using excessive memory. Add more memory, if necessary. Depending on the bus type, some NetWare servers do not register all the memory present unless a REGISTER MEMORY statement exists in the startup.ncf file. More information about REGISTER MEMORY is located in the NetWare 5 online documentation at the following path: Reference > Utilities Reference (under the General Reference heading) > Utilities > REGISTER MEMORY
ECB shortage	Check server resources using monitor.nlm to determine which NLM uses the most event control blocks (ECBs). Increase the maximum packet receive buffers on the server if server memory allows.
License error	Verify the current licenses installed for the server and check for license conflicts or expired trial licenses. Install additional licenses, if necessary.
Loading or unloading a security-sensitive NLM	This alert is primarily informational. Verify that the server console is secure and all remote sessions are authorized. Reload or unload the NLM, if necessary.
Oversized ping packet	Use a packet sniffer to capture packets and determine the source IP address. Configure a TCP/IP packet forwarding filter to block pings originating from that source.
SYN packet flooding	Use a packet sniffer to capture packets and determine the source IP address. Configure a TCP/IP packet forwarding filter to block TCP packets originating from that source.
Oversized UDP packet	Use a packet sniffer to capture packets and determine the source IP address. Configure a TCP/IP packet forwarding filter to block UDP packets originating from that source.
Cache hierarchy parent (ICP parent) down	Ping the parent server to check if there is a routing problem. Verify that the parent server for the cache hierarchy is down and bring the server back up. Note that if the cache hierarchy has multiple parents configured, proxy servers lower in the hierarchy will use the other parent servers while this server is down.
SOCKS server down	Ping the SOCKS server to check if there is a routing problem. Verify that the SOCKS server is down and bring the server back up.
POP3 or SMTP server down	Ping the Post Office Protocol 3 (POP3) or SMTP server to check if there is a routing problem. Verify that the POP3 server or internal mail server is down. You might not be able to resolve this problem if the POP3 server is administered by someone who is outside your organization.

Server Performance Alerts

Server performance alerts notify you of potential problems with server parameters or operations that can cause Novell BorderManager 3.8 services to underperform or fail.

The server performance alerts are as follows:

Disk space shortage
A disk space shortage warning indicates that the shortage of disk space is severe enough to potentially cause server operations to fail.
Memory shortage
A memory shortage warning indicates that the shortage of memory is severe enough to potentially cause server operations to fail.
Event Control Block (ECB) shortage (out of receive buffers or no ECBs available)
An ECB shortage warning indicates that the packet receive buffer or ECB shortage is severe enough to potentially cause network input or output to degrade or fail.

License Acquisition Alerts

A license alert indicates that a Novell BorderManager 3.8 service was unable to acquire the license it needs to operate.

Novell BorderManager 3.8 Alert monitors license acquisition for the following:

Proxy Services
Virtual Private Network (VPN) servers and clients
Access control

Security Alerts

Security alerts notify you of possible security breaches. The causes of these alerts should be investigated further because your server might be the target of a denial-of-service attack.

Denial-of-service attacks commonly plague servers connected to the Internet and are initiated by someone without authorized access to servers. A denial-of-service condition can be caused by a bombardment of packets sent to a server in order to consume significant memory or CPU processing time. After these server resources have been allocated to handle the packets, connection requests made by legitimate users cannot be processed effectively.

As with computer viruses, new denial-of-service attacks are launched on the Internet community without warning. Many of the known denial-of-service attacks are documented on various Web sites.

The Novell BorderManager 3.8 security alerts include the following:

Loading or unloading a security-sensitive NLM
Security-sensitive modules are those that can potentially compromise network or server security when they are loaded or unloaded.

The modules that are considered security-sensitive are as follows:
- ds.nlm
- ftpserv.nlm
- ipxipgw.nlm
- proxy.nlm
- remote.nlm
- tftpserv.nlm
- vpninf.nlm
- vpmaster.nlm
- vpslave.nlm
Oversized ping packet
An oversized ping packet warning can indicate that malicious activity is occurring on the server. This alert is generated when the server receives and discards ping packets that have more than 10,240 bytes of data. The server is enabled to discard these packets by default.

For certain situations that require your server to receive larger ping packets, such as router stress tests, specify the following SET commands at the server console to change the largest ping packet size or disable packet discarding:

SET LARGEST PING PACKET SIZE=N

SET DISCARD OVERSIZED PING PACKETS=OFF

The variable n is a decimal number representing the number of bytes allowed. Never specify a number with commas.

To re-enable packet discarding, enter the following command at the server console:

SET DISCARD OVERSIZED PING PACKETS=ON

NOTE: You should know your network topology before changing the largest ping packet size, because packet sizes are limited by the type of media used. For Ethernet only, the oversized ping packet alert is not generated if the largest ping packet size is set between 35,541 and 65,535 bytes. However, alerts are generated for packets smaller than 35,541 bytes. The acceptable packet size ranges for other media differ and depend on each medium's maximum transmission unit (MTU), which is the largest packet size a medium can transport without fragmentation.
SYN packet flooding
A TCP SYN packet flood warning can indicate that malicious activity is occurring on the server, which can cause a denial-of-service condition. TCP connections require a three-way handshake between the server and client:
- The client sends a packet in which the SYN flag is set in the TCP header.
- The server sends a SYN/ACK (acknowledgment) packet.
- The client sends an ACK packet so data transmission can begin. A denial-of-service condition occurs when the client fails to send the last ACK packet and intentionally sends successive TCP connection requests to the server to fill up the server's buffer.
After the server's buffer is full, other clients cannot establish a connection, resulting in a denial-of-service condition.

IMPORTANT: Novell BorderManager 3.8 Alert detects only SYN packet floods for socket applications, such as FTP.

Because of the importance of defending your server against SYN packet floods, the detection of SYN packet floods should always be enabled. However, for extreme troubleshooting measures, use the following SET command to disable detection if necessary:

SET TCP DEFEND SYN ATTACKS=OFF

Re-enable detection with the following command:

SET TCP DEFEND SYN ATTACKS=ON
Oversized UDP packet
An oversized UDP packet warning can indicate that the malicious activity is occurring on the server. This alert is generated when the server receives and discards UDP packets larger than 16,384 bytes. The server is enabled to discard these packets by default.

If necessary, specify the following SET commands at the server console to change the largest UDP packet size or disable packet discarding:

SET LARGEST UDP PACKET SIZE=n

SET DISCARD OVERSIZED UDP PACKETS=OFF

The variable n is a decimal number representing the number of bytes allowed. Never specify a number with commas.

To re-enable packet discarding, specify the following command at the server console:

SET DISCARD OVERSIZED UDP PACKETS=ON

NOTE: You should know your network topology before changing the largest UDP packet size, because packet sizes are limited by the type of media used. For Ethernet only, the oversized UDP packet alert is not generated if the largest UDP packet size is set between 35,541 and 65,535 bytes. However, alerts are generated for packets smaller than 35,541 bytes. The acceptable packet size ranges for other media differ and depend on each medium's MTU, which is the largest packet size a medium can transport without fragmentation.

Many other documented denial-of-service attacks can be detected by Novell BorderManager 3.8 Alert, although attacks are not identified by name.

Proxy Alerts

Proxy alerts generally indicate that a proxy server has not been configured correctly or is down.

The proxy alerts are as follows:

Cache hierarchy parent (ICP parent) down
A cache hierarchy parent down warning indicates a problem with the parent proxy cache server in a configured cache hierarchy. If the cache hierarchy client is enabled on the proxy server and the proxy fails to connect to the parent, the alert is triggered.

If the option to forward all requests through the hierarchy has been selected and the parent is down, requests that cannot be fulfilled through the cache can result in an error because the parent is not available to access the source information.
SOCKS server down
A SOCKS server down warning indicates that the SOCKS server to which the proxy cache server connects as a client is down. If the SOCKS client is enabled on the proxy server and the proxy fails to make a connection, the alert is triggered. Because a SOCKS server is often used as a firewall, requests that cannot be fulfilled through the cache can result in an error because the proxy cannot forward requests through the firewall.
POP3 or SMTP server down
A POP3 server down warning indicates that there is a problem with a POP3 server or an internal SMTP mail server.

The mail proxy enabled on the Novell BorderManager 3.8 server cannot forward outgoing mail to the POP3 server or deliver incoming mail to the SMTP server.