What causes an internal IP to "attack" multiple public IPs?

Answered Question
Aug 8th, 2008

We have had numerous TCP SYN Host Sweeps. Could anyone share what could cause the above? Copy of alert details follow.

evIdsAlert: eventId=1216742775473866070 vendor=Cisco severity=informational

originator:

hostId: ips

appName: sensorApp

appInstanceId: 403

time: Aug 08, 2008 19:18:53 UTC offset=-480 timeZone=GMT-08:00

signature: description=TCP SYN Host Sweep id=3030 version=S2

subsigId: 0

marsCategory: Probe/SpecificPorts

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: 172.16.5.111 locality=OUT

port: 3958

target:

addr: 69.63.178.11 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 64.62.193.70 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 77.67.127.41 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 64.215.162.27 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 65.55.15.242 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 77.67.127.10 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 69.63.176.167 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 65.242.27.32 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 64.209.118.140 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 77.67.127.25 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 207.200.64.225 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 207.68.179.219 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 65.55.13.158 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 63.217.8.128 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 66.151.244.212 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

target:

addr: 207.200.64.161 locality=OUT

os: idSource=unknown type=unknown relevance=relevant

alertDetails: InterfaceAttributes: context="Unknown" physical="Unknown" backplane="GigabitEthernet0/1" ;

riskRatingValue: 31 targetValueRating=medium attackRelevanceRating=relevant

threatRatingValue: 31

interface: GigabitEthernet0/1 context=Unknown physical=Unknown backplane=GigabitEthernet0/1

protocol: tcp

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 5 months ago

Sweeps when detected on the LAN are 'mostly' false positives, this is the official word from Cisco:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3030&signatureSubId=0&softwareVersion=6.0&releaseVersion=S2

"Benign Triggers

Host sweep signatures 3030 and 3032 detect behaviors that should not be observed from sources outside the local network but are normal behaviors for sources from within the local network."

You can either filter these signatures from the LAN hosts using Event Action Filters or tune the signature (by using the source/dest. fields inside it).

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Farrukh Haroon Sat, 08/09/2008 - 14:55

Sweeps when detected on the LAN are 'mostly' false positives, this is the official word from Cisco:

http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=3030&signatureSubId=0&softwareVersion=6.0&releaseVersion=S2

"Benign Triggers

Host sweep signatures 3030 and 3032 detect behaviors that should not be observed from sources outside the local network but are normal behaviors for sources from within the local network."

You can either filter these signatures from the LAN hosts using Event Action Filters or tune the signature (by using the source/dest. fields inside it).

Regards

Farrukh

Farrukh Haroon Sat, 08/09/2008 - 14:58

To answer your original question, for example I have 35+ tabs open in my Firefox browser right now. Lets say I re-open my browser and re-open all these tabs 'at once', or hit the 'reload-all-tabs' button, the IPS will see 35 TCP syns to the same destination port (80) from my source IP. It might consider this a TCP SYN port sweep (on same dest. port). Even tough its just an innocent guy trying to browse the web :).

Regards

Farrukh

Jabamani_S Thu, 04/26/2012 - 08:09

event_id=1315988670190568856

severity=high

device_name=

app_name=sensorApp

sig_id=1202

subsig_id=0

sig_name=IP Fragment Overrun - Datagram Too Long sig_details=IP Fragment overrun - Datagram too long

sig_version=S212

attacker_ip=10.92.21.120

attacker_port=0

attacker_locality=OUT

victim_ip=6.71.2.110

victim_port=0

victim_os=unknown unknown (relevant)

victim_locality=OUT

event_id=1315988670190568856

severity=high

device_name=

app_name=sensorApp

sig_id=1202

subsig_id=0

sig_name=IP Fragment Overrun - Datagram Too Long sig_details=IP Fragment overrun - Datagram too long

sig_version=S212

attacker_ip=10.92.21.120

attacker_port=0

attacker_locality=OUT

victim_ip=6.71.2.110

victim_port=0

victim_os=unknown unknown (relevant)

victim_locality=OUT

This DOS attack happens from Internal IP to Public IP. Is it a real one ?

Actions

This Discussion