Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
580
Views
0
Helpful
2
Replies

are packets being spoofed/hijacked?

saidfrh
Level 1
Level 1

‎05-09-2008 11:39 PM - edited ‎03-11-2019 05:42 AM

Hi,

The following are from syslogs on ASA5510 firewall. Are the following TCP sessions being spoofed in the SYN phase?

07:40:25: %ASA-4-419002: Duplicate TCP SYN from Inside: 192.168.1.170/3229 to outside:82.42.69.140/4219 with different initial sequence number

(I can not find who has IP 192.168.1.170. Trend Micro shows no one on the LAN .170

The following shows an original udp payload, yet there seems to be a ICMP transmission.

ASA-4-313005 : No matching connection for ICMP error message: icmp src outside: 76.189.113.82 dst inside: 207.105.y.x (type 3, code 1) on outside interface: Original payload: udp src 207.105.y.x/3919 dst 192.168.1.100/49593

Labels:
0 Helpful
2 Replies 2

aghaznavi
Level 5
Level 5

‎05-15-2008 02:28 PM

Because connection limits are configured for a good reason, this system log message could indicate a possible DoS attack, in which case the source of the traffic could likely be a spoofed IP address. If the source IP address is not totally random, identifying the source and blocking it using an access-list might help. In other cases, getting sniffer traces and analyzing the source of the traffic would help in isolating unwanted traffic from legitimate traffic.

0 Helpful

saidfrh
Level 1
Level 1
In response to aghaznavi

‎05-16-2008 08:50 AM

Is it best to sniff the traffic on the LAN or in between the perimeter router and the firewall?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card