Solved: TCP SYN Host Sweep (3030.0) Firing Excessively

RITgrad2008 · ‎08-20-2007

Hello all,

We recently added a bunch of IPS to our internal networks (we originally only had them on the perimeter). Since we implemented these IPS (running 5.x), we have seen a massive increase in the number of TCP SYN Host Sweeps.

I looked a little further into the traffic, and it appears a lot of it is traffic to port 80 on external addresses (I'm guessing its websites with ads, etc. that are causing most of these ones).

However, there are a great deal of connections going to seemingly arbitrary ports to many different network ranges. The part that worries me the most is that a lot of the SYN sweeps go to internal AND external addresses.

I have been unable to determine the exact cause of the SYN sweeps but it appears that a majority of our clients are doing it.

I am only an intern, so my knowledge (and access to such knowledge) is rather limited.

I was wondering if anyone had any similar experiences? If so, is there a good way to weed out the false positives from the potentially important alerts?

Best Regards,

Ryan

attmidsteam · ‎08-23-2007

We use Intellitactics NSM as our SEM and it works very well for our environment (because it is very programmable and we love to tinker).

I can't remember the exact changes we've made but this is what we have:

#sh conf | begin 3030

signatures 3030 0

engine sweep

unique 50

protocol tcp

storage-key Axxb

specify-port-range yes

port-range 1-24,26-79,81-442,444-2966,2968-65534

The part of this signature that works for us is our platform (NSM) will create an alert when we see 100 of these signatures within a specific time period. That lets us know that some time of scanning is ongoing (note that busy HTTP, DNS, & FTP servers will trigger this sig on return traffic so filtering & profiling is important).

View solution in original post

rmeans · ‎08-20-2007

I have had similar trouble and found the problem to be asymmetric routing. I resolved the problem by pay close attention to what exactly I was having the IPS monitor. I had an IDSM-2 monitoring VLANs spread across several switches. When I switched to monitoring a couple of choke points, the asymmetric problem stopped.

RITgrad2008 · ‎08-21-2007

Has anyone else seen this issue? Is this always the culprit?

I have no control over the network topology (I'm more of a sys admin than a net admin, haha).

mhellman · ‎08-21-2007

I've never found this signature at all useful. This will fire on normal internal network traffic.

Cisco says to filter internal address space as sources....see here:

https://intellishield.cisco.com/security/alertmanager/ipsSignature?signatureId=3030&signatureSubId=0

RITgrad2008 · ‎08-21-2007

My reasoning for keeping it enabled (or rather, my speculation for why it remains enabled) is because it appears that it would help identify worms spreading through the network.

More specifically, I'm not really worried about port 80 connections to devices outside the network. However, I do find it slightly odd that some sweeps target bother internal and external addresses. I would be very worried if the connections seemed to hit every device on its subnet.

Does anyone know any other specific causes/ culprites/ likely services to cause such traffic to internal and external addresses? I have yet to see SYN sweeps targeting internal addresses (or entire subnets for that matter) exclusively.

Thanks again,

Ryan

rmeans · ‎08-21-2007

Have you been able to identify whether or not asymmetric routing is the cause of your problem? This is what I did to identify the problem. First, can you identify which source networks are having trouble. In my case, all, so it did not matter where I tested from. I made the assumption that my laptop only produced valid traffic. Using the IDS packet capture/display feature in command, I monitored traffic from my laptop. I found that when I pulled up a web page (cisco.com) the IDS only captured the TCP SYN packet. Looking at my laptop browser it was obvious that the cisco.com page had completely loaded thus more than a single TCP SYN packet was transfer between cisco.com and my laptop. Signature 3030 actually exposed a greater problem, the IDS was only seeing parts of packet streams. I found that I had to deploy/monitor traffic differently.

I use the 3030 but have found that the signature only works well in certain environments. For example, if PAT is involved the IDS might be monitoring one IP address used by many users. Dozens of users accessing various web pages can look like an attack to the IDS. You may need to tune sig 3030 with event action rules.

Keep in mind, by default, sig 3030 looks for 15 SYN packets within 5 seconds from the same source. You may just need to modify the unique count from 15 to 20, 30 or more.

mhellman · ‎08-21-2007

Could you expand upon how asymmetrical routing plays a role in this signature firing? I believe this signature looks at the SYN-FIN-ACK flags of individual TCP packets and of those flags, if only the SYN flag is set it increments the counter. The rest of the packets in the session aren't relevant...or possibly I don't understand the sig;-)

RITgrad2008 · ‎08-22-2007

You'll have to forgive my ignorance, but I am not very familiar with asymmetric routing. From my understanding, asymmetric traffic is when traffic from B to A doesn't follow the same path from A to B. How exactly would this cause the SYN sweeps signature to alert?

How exactly do I go about determining whether asymmetric routing is occurring? Is this something I will need to talk to the network administrator about (setting up a NAM or something).

It appears that every single host on the network is causing it to fire, including a few servers (which I suspect may be a lazy admin who forgets to use his own system for web surfing). I noticed that even my system has been recorded doing it, although mine does not contact any internal addresses and I recognize most or all of the "victim" addresses in VMS.

I can talk to the rest of the security team to see what the IPS are set to record for the signature (I'm just an intern and I'm only in charge of watching the IDS/IPS monitor).

Thanks again,

Ryan

mhellman · ‎08-22-2007

Ryan,

I turned this one temporarily on one of our test WAN sensors. I was hoping it would behave differently than it did so many moons ago when it was "tuned". It went bonkers. Worse, the alarm doesn't even contain destination ports. This is probably why you're having such a tough time researching. YMMV, we have a fairly large user base. There are many scenarios where legit traffic might trigger this. Think about how many TCP connections are initiated when a client machine first boots up and a user logs in. You'll want to bump up those unique values if you intend to use on the internal network.

mhellman · ‎08-21-2007

If your goal is to detect worms or an otherwise infected machine, then like rmeans suggests, you might try jacking up the unique value from the default 15 to something like 127 (half of a class C) and increase the alert interval.

attmidsteam · ‎08-22-2007

We use this signature to detect network scanning type activity and have our SEM correlate these events after reaching certain thresholds.

It is a great way to detect mass probings (such as outside IPs finding available FTP & web servers) or internal worm traffic (where you have many events from the same IP with a dest port of 135 for example).

rmeans · ‎08-22-2007

I don't believe asymmetric routing plays a role with sig 3030. I was thinking overnight and I believe I confused/merged two different IDS related events into one. Please forgive me.

I believe sig 3030 looks for just TCP packets with the SYN flag set. Sig 3020 looks for packets with the SYN and FIN flag set.

I agree with most others that sig 3030 needs to be tuned in some way to make it useful.

RITgrad2008 · ‎08-23-2007

I was wondering if you could tell me how you tuned your signature? I agree that it seems like a very useful signature if it is tuned properly.

If you don't mind, would you explain what changes you made, and what SEM you used? We have VMS, and we have MARS - no one likes MARS, maybe I just don't know how to use it properly...

I've got a security meeting today and I plan to bring up changing the default to something higher like 30 or 50.

Also, I know I asked this earlier... but does anyone have any idea why the SYN sweeps would be recorded as going to internal AND external addresses? Is it just because the devices happen to make connections to commonly-used servers during the interval and thus get recorded. To put it differently, are the internal and external connections most likely unrelated and just coinciding during that time period?

Best Regards,

Ryan

mhellman · ‎08-23-2007

When you look at one of these alarms, you should see a target IP address and multiple victim IP addresses. When you say "going to internal and external addresses", do you mean the attacker is an internal IP address (client machine for example) and the victim addresses include both internal and external? If that is the case, then this is probably quite normal and the connections could be unrelated. The best example I can think of is when a user first logs onto his machine for the day. All sorts of software loads during startup the may try to make direct connections to Internet hosts (for updates and such). Another example is normal browsing of the Internet and hitting a site that uses flash or some other plug-in. This can also cause this kind of behavior.

RITgrad2008 · ‎08-23-2007

Yes, the "attacker" is always an internal address.