Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Analyzing high number of udp teardrown messages in short internval?

I'm security analyst tasked to running SIEM we are getting Cisco asa5585 traffic logs. Two firewall running in active -active configuration. I'm detecting some suspcious pattern which I need clarification/understanding from the community.

In less then 3 hours between  7:00 am to 9:00 am cisco asa logs shows unprecedented increase in UDP teardown messages  going as far 2 million

in total. The number is odd for many reason some which include:-

  • The ratio of udp teardown messages didn't matched with udp built connections. These udp teardown messages for that short period were are almost 20 times more then built connections.
    • A trend-analysis was made to see If such high occurrence of  udp-teardown messages was observed before. For such, comparative  analysis was made for exact time-windows from previous months/weeks and  following sub-patterns were deduced:-  
      • On Dec-22-2013, the ratio between two was only 2%.
      • On Dec-29-2013, the ratio remained the same i.e 2%.
      • On Dec-29-2013, the ratio was 2.1%.
      • On Jan-5-2014, the ratio was 2%.

Sample payload

<166>Jan 20 2014 09:28:49: %ASA-6-302016: Teardown UDP connection  2542342834 for client:202.12.27.33/53 to inside:192.168.1.2/59270  duration 0:02:27 bytes 73

NOTE: Nearly every other teardrop messages comes from src port 53.

Is such sporadic increase in anyway considered an Anomaly (i.e networking loop perhaps)? Also, do these messages esp udp teardown relates to drop action taken by fw due security voilation of some sort, or the traffic logs just tells us its has logged udp connection request teardrop / close request?

Thanks.

1 REPLY

Analyzing high number of udp teardrown messages in short internv

Hello, Asad.

The message says that connection is removed from connection table.

So, no actions required.

But if you observe too high number of such messages, you'ld better to investigate why.

So, try to analyze "show local-host conn udp 100" and find primary host that generates such amount of connection.

After you identify, try to understand if it's normal (or malware) behavior.

If it's not normal, you might limit a number of connections per host.

81
Views
0
Helpful
1
Replies
CreatePlease login to create content