topic How to block Fake connection on firewall in Network Security

How to block Fake connection on firewall

ahmad82pkn — Tue, 12 Mar 2019 01:50:21 GMT

looks like i am under attack.

How can i block these connections? 10.10.101.33 is not ip address of any of my internal machine

TCP OUTSIDE 42.237.252.206:1433 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.205:6673 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.205:135 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.205:3306 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.205:1433 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.204:6673 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.204:135 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.204:3306 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.204:1433 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.203:6673 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.203:135 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.203:3306 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.203:1433 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.202:6673 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.202:135 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.202:3306 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.202:1433 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.201:6673 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.201:135 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.201:3306 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.201:1433 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.200:6673 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

TCP OUTSIDE 42.237.252.200:135 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA

How to block Fake connection on firewall

Jouni Forss — Tue, 28 May 2013 20:54:33 GMT

Hi,

To me it seems that the connections is indeed built from a host behind the INSIDE interface towards Internet.

Are you saying that you dont even have a network with the 10.10.101.x/yy in your LAN? Or just that you shouldnt have a host with that IP address?

One thing to make ASA check the routing table against a source IP address on the INSIDE could be achieved with the following command

ip verify reverse-path interface INSIDE

Have you tried to determine where the traffic is coming from?

Naturally you could also block the connection with ACL from ever trying to form through the firewall.

- Jouni

How to block Fake connection on firewall

ahmad82pkn — Tue, 28 May 2013 21:07:21 GMT

Hi i dont have this subnet in my LAN, on my inside traffic just give stars since no vlan of said subnet.

yes it looks to be coming from inside, but on my inside core switch, i dont show any ARP or route for this strange IP.

not sure how to find it

ip verify reverse-path interface INSIDE Doest this command cause any CPU Spike? since i am running in production right now, though with slow internet response due to above issue.

How can i find the source? its kind of fake source.

How to block Fake connection on firewall

Jouni Forss — Tue, 28 May 2013 21:17:05 GMT

Hi,

I am not sure on the commands effect on the performance.

Either you use the command or block the connections with ACL and then start tracking down the host causing this.

The command I suggested will essentially check the ASAs routing table against the source IP address. If the routing table doesnt contain that IP address or a network to which it belongs to then the ASA drops the packet.

Is there alot of connection attempts on your firewall constantly? Are you able to check the core switch from where the traffic volume is higher to track down the host?

Is the core switch a L3 device or is the network behind the ASA purely L2?

- Jouni