Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

I got nailed today - PIX 535 (7.0.3) Help Please

Hi all,

Hopefully you can help me out...  I can't decide if we've got a firewall that was exploited (possible given the old-ish code) or a host that's been compromised.

The story is this --- All of a sudden the PIX cpu load spiked to 98+%.  Pings were < 50% thus making TCP communications useless.  I eventually traced the problem down to our DMZ interface.  It eventually subsided, and after a few interface resets, things got better.

The logs are like this.....

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/52365 dst outside:YY.YY.YY.YY/58934 by access-group "acl_dmz"

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/45880 by access-group "acl_dmz"

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/41237 by access-group "acl_dmz"

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/21060 by access-group "acl_dmz"

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/21770 by access-group "acl_dmz"

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/35153 by access-group "acl_dmz"

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/42539 by access-group "acl_dmz"

They continued at a rate of 6,500 or so connections per second.

This undoubtedly brought the firewall to it's knees.

I took a good long look at the host and it's not obviously hacked.  More inspection tomorrow.

Any thoughts on if this could have been the firewall being exploited?  Thanks very much in advance.

  • Firewalling
Everyone's tags (5)
4 REPLIES
New Member

I got nailed today - PIX 535 (7.0.3) Help Please

You should first check if the traffic was legetimate or not. If not then check the host for malicious activity.

Sachin

New Member

I got nailed today - PIX 535 (7.0.3) Help Please

I continued looking at the host.  The likelihood of that host being able to send that much traffic is VERY low.  After further inspection the likelikhood of that host being hacked is also VERY low.

Thanks anyway.

New Member

I got nailed today - PIX 535 (7.0.3) Help Please

How did you isolate the issue to this host?

Did you trace the MAC address?

Sachin

Gold

I got nailed today - PIX 535 (7.0.3) Help Please

The likelyhood is either that you have done changes in your access-list or that your host was compromised and that it was used to try to attack and DOS a server (wich we all know as YY.YY.YY.YY now.

my guess would be the second option.

same program (same port) is sending UDP messages to many different ports on another system ?

highly irregular traffic pattern i would say.

but perfect to fill up someones InternetlLink

Good luck

HTH

793
Views
0
Helpful
4
Replies