Hello, we have a pix 515 - with inside and outside and extranet interfaces.
The extranet is linked to a cisco 2950 switch - with partner networks linked into it.
We generally have no problems communicating with the partner networks but occasionally - on one of the connections in we are seeing bandwidth usage spikes from the normal 50-100kbps to 20,000kbps! - The spikes can last from 2 minutes to 3 hours..
This is about 18mb coming in and 2mb going out.
I mirrored the port on the extranet switch and ran an ethereal capture (screenshot enclosed) - it seems that the partner network adjacent device (a nokia firewall) is sending TCP resets (about 200,000 in 50 seconds) to the PIX here - also containing data -which is then jamming up the interface with the 20meg of retransmitted traffic.
If you look at the capture the tcp resets coming back are thick and fast..
I'd provide the full capture but it's 80mB and that's just from a 50 second capture!
the connections are port 80 requests sourced from our network going out through the pix to the xtra switch to their nokia fw and thence to a M$ IIS server..
Can you examine and say on what occasions you face this bandwidth spike?. Also, I want to know on which interface you are experiencing this issue?. Is it a low speed interface or a high speed Gigabit interface?. If you can send me these details, I can help you accordingly.
so the originator of the traffic is the Nokia, as far as I understand? I would assume a bug there or a DDoS attack. Can they figure out whether the Nokia originates the traffic (should be a bug for almost sure), or it originates in the LAN?
So the first thing I would try to figure out is, which device creates the packets.
Hopefully not a script kiddie trying to close some TCP sessions after reading too much about TCP vulnerabilities.
Hello, the originator of the traffic is a windows pc on our network - the replies which are tcp resets are sourced from the IIS server on the partner network but with a source mac of their Nokia FWs..
..was digging around and having a look at tcp reset & syn attacks..
the bandwidth spikes do not happen at any particular time of the day or every day and the normal usage is about 10-70kbps - that's why I think it's something dodgy - from looking at the trace - it says that the cause of the reset is a http 200 command see attached:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...