One of the Pix at our customers faced an interesting problem lately.
The customer reported that at times they cannot establish legitimate connections from one segment to the other, effectively the firewall is not passing any traffic at all.
We noticed a high CPU in the PIX and analyzed the logs. there we noticed that there are a huge number of connection denies (both tcp and udp) from a set of ip addresses from a particular segment going out to the internet on high end ports. (the PIX was configured to allow only web traffic to the internet, and therefore these connection attempts were getting denied)there was one particular IP (192.168.13.83) which was prominently doing this, and we then asked to shut down that machine. The problem with the PIX disappeared immediately.
Because of this we thought that this can be classified as a probable DOS attack on the PIX. But we are trying to find what exactly the attack is. Can anyone relate to this.
I've attached an extract from the firewall log FYI.
This is just crazy :) looks like a SYN attack to me.. the originator is trying to flag SYN to random destinations on random ports.. Dont you have an IPS somewhere on the network, to detect this ? am sure IPS would have a builtin signature to detect this. I think a FULL system scan of the PC 13.83 would tell you what exactly the PC contains.. AV guys would be of more help to you than network :) he he..
Hi, Thanks for the input. I would have agreed for the SYN attack part if it was not for the UDP denies from the 13.83 PC. also, this appears to be a bit familiar to P2P traffic. Has anybody else seen this type of p2p traffic ?
I'm attaching a log which is an extract showing only the events caused by 13.83 PC for you guys to clearly see the pattern.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...