PIX hang - DOS attack

thedinuka · ‎01-08-2009

Hi

One of the Pix at our customers faced an interesting problem lately.

The customer reported that at times they cannot establish legitimate connections from one segment to the other, effectively the firewall is not passing any traffic at all.

We noticed a high CPU in the PIX and analyzed the logs. there we noticed that there are a huge number of connection denies (both tcp and udp) from a set of ip addresses from a particular segment going out to the internet on high end ports. (the PIX was configured to allow only web traffic to the internet, and therefore these connection attempts were getting denied)there was one particular IP (192.168.13.83) which was prominently doing this, and we then asked to shut down that machine. The problem with the PIX disappeared immediately.

Because of this we thought that this can be classified as a probable DOS attack on the PIX. But we are trying to find what exactly the attack is. Can anyone relate to this.

I've attached an extract from the firewall log FYI.

sachinraja · ‎01-08-2009

This is just crazy :) looks like a SYN attack to me.. the originator is trying to flag SYN to random destinations on random ports.. Dont you have an IPS somewhere on the network, to detect this ? am sure IPS would have a builtin signature to detect this. I think a FULL system scan of the PC 13.83 would tell you what exactly the PC contains.. AV guys would be of more help to you than network :) he he..

Raj

thedinuka · ‎01-08-2009

Hi, Thanks for the input. I would have agreed for the SYN attack part if it was not for the UDP denies from the 13.83 PC. also, this appears to be a bit familiar to P2P traffic. Has anybody else seen this type of p2p traffic ?

I'm attaching a log which is an extract showing only the events caused by 13.83 PC for you guys to clearly see the pattern.