I had a Sudden increase of traffic to a port :80 from several IP's. This triggered the "Sudden increase of traffic to a port" rule in MARS.
Looking at the PC's (Win XP SP2) involved they all had a TCP error # 4226 at the time of incident. 4226 is - TCP/IP reached limits of # of concurrent tcp connection.
The incident was sourced 30 times from 3 different internal PC's to 22.214.171.124 (Akamai Tech -a company that provides a distributed computing platform for global Internet content and application delivery) all within and at the same second
How could I get more information to determine if my PC's played a role in bot like activity? All scans of the PC are clean.
You could capture the traffic via ASA (capture cmd), IPS capture, Switch SPAN/VACL etc. and then analyze it using wireshark. But to be honest multiple connections to Akamai servers and Windows update is normal for most windows boxes on which websites are browsed. In fact I had to add a 'deny packet' exclusion on our MARS because the FWSM/Netscreen kept sending deny syslogs to Akamai servers from numerous users. They are mostly on non standard ports.
It has only happened once so far so I'll do that if it happens again on that same des IP but Akami has a /15 network so..
But you stated multi connection are normal to Akami - I guess it could happen if they visited a site which contained multiple links to the akami des ip.. I didn't see that in the cookie history though. And what are the chances of that happening from 3 source ip's within the same time frame?
Now withstanding, based on the message on my windows box "max tcp connection request" and the port the request were made on "port 80" it seems as if it was a http DOS attack from my network to Akamai.
Which device is reporting this into MARS? An IPS or a firewall?
HTTP is a cleartext protocol, your best bet would be to check using a packet sniffer. You will see all HTTP requests captured in clear for analysis. Yes it is normal for three hosts to connect to AKAMAI at once.
AKAMAI can be sometimes notorious, so I would not worry about the too much. Just block if you don't want this happening:
I understand the capture piece - however I would overload my firewall captureing packets for all port 80 packets destin for port 80 at Akami's /15 network =)
I here you 100% and agree with your statements and links about Akami
But the time stamps on this event make me wonder how and why only three pc's in my network try to connect to Akami all within the same window of time (4 seconds or so) and each PC violated the "worm prevention" method used by windows xp which stops/logs each time more than 10 concurent tcp sessions are opened to a single source. It's just very odd.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...