Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
0
Helpful
1
Replies

Analyzing high number of udp teardrown messages in short internval?

asad ali
Level 1
Level 1

‎02-09-2014 10:40 PM - edited ‎03-11-2019 08:43 PM

I'm security analyst tasked to running SIEM we are getting Cisco asa5585 traffic logs. Two firewall running in active -active configuration. I'm detecting some suspcious pattern which I need clarification/understanding from the community.

In less then 3 hours between  7:00 am to 9:00 am cisco asa logs shows unprecedented increase in UDP teardown messages  going as far 2 million

in total. The number is odd for many reason some which include:-

  • The ratio of udp teardown messages didn't matched with udp built connections. These udp teardown messages for that short period were are almost 20 times more then built connections.
    • A trend-analysis was made to see If such high occurrence of  udp-teardown messages was observed before. For such, comparative  analysis was made for exact time-windows from previous months/weeks and  following sub-patterns were deduced:-  
      • On Dec-22-2013, the ratio between two was only 2%.
      • On Dec-29-2013, the ratio remained the same i.e 2%.
      • On Dec-29-2013, the ratio was 2.1%.
      • On Jan-5-2014, the ratio was 2%.

Sample payload

<166>Jan 20 2014 09:28:49: %ASA-6-302016: Teardown UDP connection  2542342834 for client:202.12.27.33/53 to inside:192.168.1.2/59270  duration 0:02:27 bytes 73

NOTE: Nearly every other teardrop messages comes from src port 53.

Is such sporadic increase in anyway considered an Anomaly (i.e networking loop perhaps)? Also, do these messages esp udp teardown relates to drop action taken by fw due security voilation of some sort, or the traffic logs just tells us its has logged udp connection request teardrop / close request?

Thanks.

Labels:
0 Helpful
1 Reply 1

Vasilii Mikhailovskii
Level 7
Level 7

‎02-10-2014 10:33 AM

Hello, Asad.

The message says that connection is removed from connection table.

So, no actions required.

But if you observe too high number of such messages, you'ld better to investigate why.

So, try to analyze "show local-host conn udp 100" and find primary host that generates such amount of connection.

After you identify, try to understand if it's normal (or malware) behavior.

If it's not normal, you might limit a number of connections per host.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card