Solved: It seems TCP SYN Attack!

a.hajhamad · ‎10-08-2009

Hello,

We have very huge number of TCP connections we can see at PIX 525 firewall to Anti-Spam mail gateway. Here is sample of show connection to Anti-Spam IP X.X.X.X; by the way the attacker is using many src IP addresses:

==============================================================================

TCP out ((Attacker IPs)):3235 in X.X.X.X:25 idle 0:01:54 bytes 0 flags UFB

TCP out (Attacker IPs):4532 in X.X.X.X:25 idle 0:07:28 bytes 0 flags UFB

TCP out (Attacker IPs):3112 in X.X.X.X:25 idle 0:00:08 bytes 0 flags aB

TCP out (Attacker IPs):4056 in X.X.X.X:25 idle 0:04:43 bytes 0 flags UFB

TCP out (Attacker IPs):11679 in X.X.X.X:25 idle 0:00:00 bytes 0 flags UB

TCP out (Attacker IPs)4:3126 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB

TCP out (Attacker IPs):3125 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB

TCP out (Attacker IPs):16588 in X.X.X.X:25 idle 0:00:00 bytes 0 flags UB

TCP out (Attacker IPs):2846 in X.X.X.X:25 idle 0:00:01 bytes 0 flags aB

TCP out (Attacker IPs):2927 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB

TCP out (Attacker IPs):2926 in X.X.X.X:25 idle 0:00:01 bytes 0 flags aB

TCP out (Attacker IPs):2925 in X.X.X.X:25 idle 0:00:01 bytes 0 flags aB

TCP out (Attacker IPs):42869 in X.X.X.X:25 idle 0:02:51 bytes 596 flags UfFRIOB

TCP out (Attacker IPs):2247 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB

TCP out (Attacker IPs):1409 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB

TCP out (Attacker IPs):6062 in X.X.X.X:25 idle 0:09:09 bytes 0 flags UFB

TCP out (Attacker IPs):4018 in X.X.X.X:25 idle 0:00:04 bytes 0 flags aB

TCP out (Attacker IPs):1276 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB

TCP out (Attacker IPs):2559 in X.X.X.X:25 idle 0:00:00 bytes 0 flags UB

TCP out (Attacker IPs):4518 in X.X.X.X:25 idle 0:00:18 bytes 0 flags aB

TCP out (Attacker IPs):17397 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB

TCP out (Attacker IPs):2041 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB

TCP out (Attacker IPs):2191 in X.X.X.X:25 idle 0:22:32 bytes 0 flags UFB

TCP out (Attacker IPs):1775 in X.X.X.X:25 idle 0:24:39 bytes 0 flags UFB

TCP out (Attacker IPs):3341 in X.X.X.X:25 idle 0:00:00 bytes 0 flags SaAB

==============================================================================

As i see it is a TCP SYN attack, the Anti-Spam queue is full with TCP connections around 40,000 connections.

One of our solutions: we applied the following configurations to the PIX firewall in order to drop embryonic and half closed TCP connections and also to limit the max number of TCP connections:

====

class-map tcp_syn_smtp

match port tcp eq 25

exit

policy-map tcp_syn_smtp

class tcp_syn_smtp

set connection conn-max 400

set connection embryonic-conn-max 800

set connection random-sequence-number enable

set connection timeout embryonic 0:0:45

set connection timeout half-closed 0:05:00

set connection timeout tcp 0:10:0

===

By the way the following two commands are not supported at PIX 525 7.0(6).

set connection per-client-embryonic-max 10

set connection per-client-max 5

My questions are:

1- Does our conclusion is correct according to TCP SYN attack with reference to the show conn mentioned above?

2- Does the numbers are correct according to TCP parameters & timeout are correct?

Thanks

Abd Alqader

Kureli Sankar · ‎10-08-2009

A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,

B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,

D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,

G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,

i - incomplete, J - GTP, j - GTP data, K - GTP t3-response

k - Skinny media, M - SMTP data, m - SIP media, n - GUP

O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,

q - SQL*Net data, R - outside acknowledged FIN,

R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,

s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,

V - VPN orphan, W - WAAS,

X - inspected by service module

Most of them have flag aB meaning we are waiting for the ack from the outside.

This does appear to be a syn attack.

The MPF looks correct as well. I would match an access-list and only watch for port 25 traffic destined to the smtp server's IP address instead of match tcp 25 and only apply the policy-map on the outside interface.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395546

View solution in original post

Kureli Sankar · ‎10-08-2009