topic Hi, in Network Security

Narrow down on Embryonic connections details on ASA5550

walidazab — Tue, 12 Mar 2019 08:25:38 GMT

Hi,

To protect against SYN attacks we have created a global maximum to half open connections. Currently 500 embryonic connections.

It is working pretty fine now. When the maximum count is reached SYSLOG shows the following message:

Oct 20 2016

12:11:14

201010

<PRIVATE IP>

40333

<PUBLIC IP>

Embryonic connection limit exceeded 500/500 for input packet from <PRIVATE_IP>/40333 to <PUBLIC IP>/80 on interface inside

Just need to confirm a couple of things here please:

Direction of the connection. Is it correct that the connection is from inside (LAN) to outside (Internet)?
How to drill down to actually list the connections made from the private IP to the outside public IP?

From what I see this is some portscanning that is taking place by compromised host residing on my network (inside). What I am trying to do is to contact my users and send them a list of all the public IPs their possibly infected host/IP is scanning along with the ports so that they take the necessary action. I do not want to start using threat-detection with SHUN before I get hold of this report.

I was thinking of sh local-host <private_IP> and looking at Conn but it lists legitimate connections too. How can I only list scanned destinations and ports only?

I am using ASA5550 by the way.

Thanks

Hi,

Pulkit Saxena — Fri, 21 Oct 2016 00:56:29 GMT

Hi,

Good to hear that embryonic connection configuration is working fine. To answer your questions :

a) Yes you have analyzed it correctly connection is from inside to outside, some local machine using a random source port is making a connection to a public IP on port 80. It might be legitimate, might not be. That needs to be checked by tracking the local IP address and also utilizing its mac address and then checking the infected machine itself.

b) Well it is actually tough to just drill down with one single output, but you can try a few outputs :

sh local-host connection tcp 500

sh local-host x.x.x.x (once you identify the IP address of local user)

sh local-host connection embryonic

Unfortunately ASA does not know which is legitimate and which is not, it only takes action on the basis of the set of policies configured on it.

Hope this helps.

Pulkit

Hello Pulkit,

walidazab — Sat, 22 Oct 2016 14:49:18 GMT

Hello Pulkit,

Thanks. I am a bit confused here about something though.

Aren't embryonic connections already considered illegitimate? Aren't they all half open and therefore sort of categorized as SYN or scan attacks?

So am I stuck with this then? We have tons of logs indicating that Embryonic attacks exceed the maximum configured.

Hi,

Pulkit Saxena — Sat, 22 Oct 2016 15:22:44 GMT

Hi,

I agree with what you say, yes embryonic connections are somewhat illegitimate and ASA is doing what it is suppose to do.

If we have continuous issues of embryonic connections limit reached, then we really need to identify the machines and track them down.

That is the only way ASA can help in this case, as it is already dropping the traffic as per configuration.

Let me know if you have any specific query in regards to this, and I will try to answer.

Pulkit

Hi again,

walidazab — Sat, 22 Oct 2016 15:48:57 GMT

Hi again,

Great. Let me share with you my goal then.

Lets say I get numerous logs indicating a particular IP is exceeding max embryonic connection. Here is an example log message from the live network:

%ASA-6-201010: Embryonic connection limit exceeded 500/500 for input packet from StaticSiteA/36293 to 52.21.58.159/23 on interface inside

To get more details about connections I execute the command: ASA-Internet#

sh local-host StaticSiteA

Output (attached) and below is a sample of this output:

TCP outside 74.91.115.242:23 inside StaticSiteA:53385, idle 0:00:00, bytes 0, flags saA

TCP outside 221.229.172.75:30899 inside StaticSiteA:22, idle 0:00:11, bytes 249, flags UFIB

Knowing that this is a continuous and ongoing behavior with this host, my question now is, how can I pinpoint the connection details for this seemingly ongoing attack/scan from that host? Should I be looking for a particular flag for example, say saA and ignore other flags or should I be using another command altogether?

In the above example and as attached it appears that this host is continuously scanning port 23 targeting many IPs on the outside interface. Correct?

Thanks

Hi,

Pulkit Saxena — Sat, 22 Oct 2016 17:08:01 GMT

Hi,

I had a look at the output and what I understand from it is that I see only two categories of flags : "saA" and "UFIB".
Going with the following link :
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113602-ptn-113602.html

It is pretty clear that "saA" means that inside machine sent "syn" to an outside public IP and is waiting for a reply and thus showing the
particular connection flag.
Similarly, "UFIB" means that from outside someone initiated ssh traffic to inside host and three way handshake completed after which the outside
IP also sent a FIN after some data transfer.

So I think the local machine has a legitimate access from outside, but the question is why is the internal machine initiating random SYN packets.
We must check the local machine.

Honestly these are the commands that we use usually and some that I mentioned above and yes you are right, connection flasg are very important.
On basis of that, we need to take action.

ASA can only tell about the packets and connections, then we need to get the traffic checked at the local machine.

If it is in directly connected subnet, then you can also look for it's mac address and can check further on the local machine.

-
Pulkit
Please rate helpful posts.