10-08-2009 12:42 AM - edited 03-11-2019 09:24 AM
Hello,
We have very huge number of TCP connections we can see at PIX 525 firewall to Anti-Spam mail gateway. Here is sample of show connection to Anti-Spam IP X.X.X.X; by the way the attacker is using many src IP addresses:
==============================================================================
TCP out ((Attacker IPs)):3235 in X.X.X.X:25 idle 0:01:54 bytes 0 flags UFB
TCP out (Attacker IPs):4532 in X.X.X.X:25 idle 0:07:28 bytes 0 flags UFB
TCP out (Attacker IPs):3112 in X.X.X.X:25 idle 0:00:08 bytes 0 flags aB
TCP out (Attacker IPs):4056 in X.X.X.X:25 idle 0:04:43 bytes 0 flags UFB
TCP out (Attacker IPs):11679 in X.X.X.X:25 idle 0:00:00 bytes 0 flags UB
TCP out (Attacker IPs)4:3126 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB
TCP out (Attacker IPs):3125 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB
TCP out (Attacker IPs):16588 in X.X.X.X:25 idle 0:00:00 bytes 0 flags UB
TCP out (Attacker IPs):2846 in X.X.X.X:25 idle 0:00:01 bytes 0 flags aB
TCP out (Attacker IPs):2927 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB
TCP out (Attacker IPs):2926 in X.X.X.X:25 idle 0:00:01 bytes 0 flags aB
TCP out (Attacker IPs):2925 in X.X.X.X:25 idle 0:00:01 bytes 0 flags aB
TCP out (Attacker IPs):42869 in X.X.X.X:25 idle 0:02:51 bytes 596 flags UfFRIOB
TCP out (Attacker IPs):2247 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB
TCP out (Attacker IPs):1409 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB
TCP out (Attacker IPs):6062 in X.X.X.X:25 idle 0:09:09 bytes 0 flags UFB
TCP out (Attacker IPs):4018 in X.X.X.X:25 idle 0:00:04 bytes 0 flags aB
TCP out (Attacker IPs):1276 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB
TCP out (Attacker IPs):2559 in X.X.X.X:25 idle 0:00:00 bytes 0 flags UB
TCP out (Attacker IPs):4518 in X.X.X.X:25 idle 0:00:18 bytes 0 flags aB
TCP out (Attacker IPs):17397 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB
TCP out (Attacker IPs):2041 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB
TCP out (Attacker IPs):2191 in X.X.X.X:25 idle 0:22:32 bytes 0 flags UFB
TCP out (Attacker IPs):1775 in X.X.X.X:25 idle 0:24:39 bytes 0 flags UFB
TCP out (Attacker IPs):3341 in X.X.X.X:25 idle 0:00:00 bytes 0 flags SaAB
==============================================================================
As i see it is a TCP SYN attack, the Anti-Spam queue is full with TCP connections around 40,000 connections.
One of our solutions: we applied the following configurations to the PIX firewall in order to drop embryonic and half closed TCP connections and also to limit the max number of TCP connections:
====
class-map tcp_syn_smtp
match port tcp eq 25
exit
policy-map tcp_syn_smtp
class tcp_syn_smtp
set connection conn-max 400
set connection embryonic-conn-max 800
set connection random-sequence-number enable
set connection timeout embryonic 0:0:45
set connection timeout half-closed 0:05:00
set connection timeout tcp 0:10:0
===
By the way the following two commands are not supported at PIX 525 7.0(6).
set connection per-client-embryonic-max 10
set connection per-client-max 5
My questions are:
1- Does our conclusion is correct according to TCP SYN attack with reference to the show conn mentioned above?
2- Does the numbers are correct according to TCP parameters & timeout are correct?
Thanks
Abd Alqader
Solved! Go to Solution.
10-08-2009 06:59 PM
A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module
Most of them have flag aB meaning we are waiting for the ack from the outside.
This does appear to be a syn attack.
The MPF looks correct as well. I would match an access-list and only watch for port 25 traffic destined to the smtp server's IP address instead of match tcp 25 and only apply the policy-map on the outside interface.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395546
10-08-2009 06:59 PM
A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module
Most of them have flag aB meaning we are waiting for the ack from the outside.
This does appear to be a syn attack.
The MPF looks correct as well. I would match an access-list and only watch for port 25 traffic destined to the smtp server's IP address instead of match tcp 25 and only apply the policy-map on the outside interface.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395546
10-11-2009 12:06 AM
Many Thanks for your reply!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: