TCP SYN Host Sweep on ASA PAT environment

Unanswered Question
Mar 30th, 2007

Hi everyone,

I have configured lab environment with ASA5520 and ASA-SSM-10 (IPS).

ASA5520 works as ADSL router and only PAT is configured for address translation on

outside interface of ASA5520 and ASA5520 works as DHCP server for inside interface

to distribute addresses of inside users.

- PAT configuration on ASA5520

global (outside) 1 interface

nat (inseide) 1 172.16.0.0 255.255.0.0

- DHCP configuration on ASA5520

dhcpd address 172.16.1.1-172.16.1.240 inseide

By default, signature 3030 TCP SYN Host Sweep is enabled on ASA-SSM-10 (IPS).

And ASA-SSM-10 (IPS) detects TCP SYN Host Sweep sometimes in my lab.

The TCP SYN Host Sweep shows that the attackers are inside users and targets are outside

(internet) servers.

The following is the detail of TCP SYN Host Sweep.

----------

evIdsAlert: eventId=1131140605648593458 vendor=Cisco severity=informational alarmTraits=2147483648

originator:

hostId: ASA-IPS

appName: sensorApp

appInstanceId: 341

time: 2007/03/30 7:49:38 UTC offset=540 timeZone=GMT+09:00

signature: description=TCP SYN Host Sweep id=3030 version=S2

subsigId: 0

interfaceGroup:

vlan: 0

participants:

attacker:

addr: 172.16.1.28 locality=OUT

port: 1133

target:

addr: xxx.xxx.xxx.xxx locality=OUT

target:

addr: xxx.xxx.xxx.xxx locality=OUT

target:

addr: xxx.xxx.xxx.xxx locality=OUT

target:

addr: xxx.xxx.xxx.xxx locality=OUT

target:

addr: xxx.xxx.xxx.xxx locality=OUT

target:

addr: xxx.xxx.xxx.xxx locality=OUT

target:

addr: xxx.xxx.xxx.xxx locality=OUT

target:

addr: xxx.xxx.xxx.xxx locality=OUT

actions:

ipLoggingActivated: true

logAttackerPacketsActivated: true

logPairPacketsActivated: true

snmpTrapRequested: true

ipLogIds:

ipLogId: 1701737076

ipLogId: 1701737077

riskRatingValue: 21

interface: ge0_1

protocol: tcp

----------

I understand the TCP SYN Host Sweep occurred when the packets ASA-SSM-10 received

are met the following condition at same time.

One source IP address

Two of more destination IP address

Same destination port

And I also understand the ASA5520 sends/diverts packets to the ASA-SSM-10 (IPS)

after PAT and just before the packet exits the egress interface.

I configured ASA5520 to send/divert packets to the AIP SSM is as follows

access-list MatchAllTraffic extended permit ip any any

class-map AllTrafficSendToAIPSSM

match access-list MatchAllTraffic

policy-map SendToAIPSSM

class AllTrafficSendToAIPSSM

ips inline fail-open

service-policy SendToAIPSSM global

I apply the policy map to traffic on all the interfaces by using the global keyword.

I think my ASA-SSM-10 (IPS) detects TCP SYN Host Sweep like as false positive and not

the problem because I think my ASA-SSM-10 (IPS) receives the following packets on my lab.

Source IP address:

Always the IP address of ASA5520's outside interface address because of PAT

Destination IP addresses

More

Destination port:

HTTP (80)

Is my understanding true ?

If so, should I disable TCP SYN Host Sweep signature in my case ?

Please let me know any comments about this.

Your information would be appreciated.

Best regards,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Thu, 04/05/2007 - 10:20

This will be a normal signature to see triggered if you are watching outbound traffic from your internal network. As long as the source of the traffic is your internal hosts, and the destination is external hosts, this is likely just normal behavior.

This signature triggers when a single host sends TCP SYN packets to a number of different hosts, perhaps because of multiple web sessions going, or pop-up windows while web surfing.

Check this bug-id:CSCsh94361

snakayama Thu, 04/05/2007 - 18:33

Hi,

Thank you very much for your reply.

I understand it.

Best regards,

Actions

This Discussion