One of the Pix at our customers faced an interesting problem lately.
The customer reported that at times they cannot establish legitimate connections from one segment to the other, effectively the firewall is not passing any traffic at all.
We noticed a high CPU in the PIX and analyzed the logs. there we noticed that there are a huge number of connection denies (both tcp and udp) from a set of ip addresses from a particular segment going out to the internet on high end ports. (the PIX was configured to allow only web traffic to the internet, and therefore these connection attempts were getting denied)there was one particular IP (192.168.13.83) which was prominently doing this, and we then asked to shut down that machine. The problem with the PIX disappeared immediately.
Because of this we thought that this can be classified as a probable DOS attack on the PIX. But we are trying to find what exactly the attack is. Can anyone relate to this.
I've attached an extract from the firewall log FYI.