Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1198
Views
5
Helpful
2
Replies

syslog ASA-4-313005 and black nurse

Machi Ma
Level 1
Level 1

‎01-25-2017 06:45 PM - edited ‎03-12-2019 01:50 AM

Hello,

There are high around of ASA syslog related to ASA-4-313005 which also related to ICMP type3, code 3

------

Jan 26 10:36:04 192.168.10.2 %ASA-4-313005: No matching connection for ICMP error message: icmp src INSIDE:111.222.333.444 dst INSIDE:555.666.777.888 (type 3, code 3) on inside interface.  Original IP payload: udp src 111.222.333.444/6343 dst 555.666.777.888/6343.

Jan 26 10:36:04 192.168.10.2 %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:111.222.333.555 dst INSIDE:777.888.333.444 (type 3, code 3) on outside interface.  Original IP payload: udp src 111.222.333.555/59851 dst 777.888.333.444/53.

Jan 26 10:36:04 192.168.10.2 %ASA-4-313005: No matching connection for ICMP error message: icmp src outside:555.666.777.888 dst INSIDE:123.123.123.123 (type 3, code 3) on outside interface.  Original IP payload: udp src 123.123.123.123/59764 dst 555.666.777.888/53.

-----

Is it related to Black Nurse attack?

Thanks!

Labels:
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎01-25-2017 09:28 PM

This looks like a genuine response for original packets sent across the ASA.  For example:

Original IP payload: udp src 111.222.333.555/59851 dst 777.888.333.444/53.

The black nurse attack is usually originated from the outside to inside with a large stream.

Another indicator that this may not be an attack is the fact that the first message was between Inside to Inside interface. It's highly unlikely that an attack would occur from within the network (possible though). It would be good to investigate the inside host sending the packet in the place to see if this is a genuine packet.

saif musa
Level 4
Level 4

‎01-25-2017 11:19 PM

Hi,

BlackNurse is based on ICMP with Type 3 Code 3 packets. So the above error which you posted is related to Black Nurse Attack.It's known also to cisco as DoS vulnerability with ICMP default implementation. Chick link below, hope it will help.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc07227/?referring_site=s

Regards

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card