https://community.cisco.com/t5/network-security/it-seems-tcp-syn-attack/m-p/1298874#M765453 <HTML><HEAD></HEAD><BODY><P>Many Thanks for your reply!</P></BODY></HTML> Sun, 11 Oct 2009 07:06:53 GMT a.hajhamad 2009-10-11T07:06:53Z https://community.cisco.com/t5/network-security/it-seems-tcp-syn-attack/m-p/1298872#M765448 <P>Hello,</P><P>We have very huge number of TCP connections we can see at PIX 525 firewall to Anti-Spam mail gateway. Here is sample of show connection to Anti-Spam IP X.X.X.X; by the way the attacker is using many src IP addresses:</P><P>==============================================================================</P><P>TCP out ((Attacker IPs)):3235 in X.X.X.X:25 idle 0:01:54 bytes 0 flags UFB</P><P>TCP out (Attacker IPs):4532 in X.X.X.X:25 idle 0:07:28 bytes 0 flags UFB</P><P>TCP out (Attacker IPs):3112 in X.X.X.X:25 idle 0:00:08 bytes 0 flags aB</P><P>TCP out (Attacker IPs):4056 in X.X.X.X:25 idle 0:04:43 bytes 0 flags UFB</P><P>TCP out (Attacker IPs):11679 in X.X.X.X:25 idle 0:00:00 bytes 0 flags UB</P><P>TCP out (Attacker IPs)4:3126 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB</P><P>TCP out (Attacker IPs):3125 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB</P><P>TCP out (Attacker IPs):16588 in X.X.X.X:25 idle 0:00:00 bytes 0 flags UB</P><P>TCP out (Attacker IPs):2846 in X.X.X.X:25 idle 0:00:01 bytes 0 flags aB</P><P>TCP out (Attacker IPs):2927 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB</P><P>TCP out (Attacker IPs):2926 in X.X.X.X:25 idle 0:00:01 bytes 0 flags aB</P><P>TCP out (Attacker IPs):2925 in X.X.X.X:25 idle 0:00:01 bytes 0 flags aB</P><P>TCP out (Attacker IPs):42869 in X.X.X.X:25 idle 0:02:51 bytes 596 flags UfFRIOB</P><P>TCP out (Attacker IPs):2247 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB</P><P>TCP out (Attacker IPs):1409 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB</P><P>TCP out (Attacker IPs):6062 in X.X.X.X:25 idle 0:09:09 bytes 0 flags UFB</P><P>TCP out (Attacker IPs):4018 in X.X.X.X:25 idle 0:00:04 bytes 0 flags aB</P><P>TCP out (Attacker IPs):1276 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB</P><P>TCP out (Attacker IPs):2559 in X.X.X.X:25 idle 0:00:00 bytes 0 flags UB</P><P>TCP out (Attacker IPs):4518 in X.X.X.X:25 idle 0:00:18 bytes 0 flags aB</P><P>TCP out (Attacker IPs):17397 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB</P><P>TCP out (Attacker IPs):2041 in X.X.X.X:25 idle 0:00:00 bytes 0 flags aB</P><P>TCP out (Attacker IPs):2191 in X.X.X.X:25 idle 0:22:32 bytes 0 flags UFB</P><P>TCP out (Attacker IPs):1775 in X.X.X.X:25 idle 0:24:39 bytes 0 flags UFB</P><P>TCP out (Attacker IPs):3341 in X.X.X.X:25 idle 0:00:00 bytes 0 flags SaAB</P><P>==============================================================================</P><P>As i see it is a TCP SYN attack, the Anti-Spam queue is full with TCP connections around 40,000 connections.</P><P>One of our solutions: we applied the following configurations to the PIX firewall in order to drop embryonic and half closed TCP connections and also to limit the max number of TCP connections:</P><P>====</P><P>class-map tcp_syn_smtp</P><P>match port tcp eq 25</P><P>exit</P><P>policy-map tcp_syn_smtp</P><P>class tcp_syn_smtp</P><P>set connection conn-max 400</P><P>set connection embryonic-conn-max 800</P><P>set connection random-sequence-number enable</P><P>set connection timeout embryonic 0:0:45</P><P>set connection timeout half-closed 0:05:00</P><P>set connection timeout tcp 0:10:0</P><P>===</P><P>By the way the following two commands are not supported at PIX 525 7.0(6).</P><P>set connection per-client-embryonic-max 10</P><P>set connection per-client-max 5</P><P></P><P>My questions are:</P><P>1- Does our conclusion is correct according to TCP SYN attack with reference to the show conn mentioned above?</P><P>2- Does the numbers are correct according to TCP parameters &amp; timeout are correct?</P><P></P><P>Thanks</P><P></P><P>Abd Alqader </P><P></P><P></P><P></P> Mon, 11 Mar 2019 16:24:26 GMT https://community.cisco.com/t5/network-security/it-seems-tcp-syn-attack/m-p/1298872#M765448 a.hajhamad 2019-03-11T16:24:26Z https://community.cisco.com/t5/network-security/it-seems-tcp-syn-attack/m-p/1298873#M765450 <HTML><HEAD></HEAD><BODY><P>A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,</P><P> B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,</P><P> D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,</P><P> G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,</P><P> i - incomplete, J - GTP, j - GTP data, K - GTP t3-response</P><P> k - Skinny media, M - SMTP data, m - SIP media, n - GUP</P><P> O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,</P><P> q - SQL*Net data, R - outside acknowledged FIN,</P><P> R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,</P><P> s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,</P><P> V - VPN orphan, W - WAAS,</P><P> X - inspected by service module</P><P></P><P>Most of them have flag aB meaning we are waiting for the ack from the outside.</P><P></P><P>This does appear to be a syn attack.</P><P></P><P>The MPF looks correct as well. I would match an access-list and only watch for port 25 traffic destined to the smtp server's IP address instead of match tcp 25 and only apply the policy-map on the outside interface.</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395546" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s1.html#wp1395546</A></P></BODY></HTML> Fri, 09 Oct 2009 01:59:08 GMT https://community.cisco.com/t5/network-security/it-seems-tcp-syn-attack/m-p/1298873#M765450 Kureli Sankar 2009-10-09T01:59:08Z https://community.cisco.com/t5/network-security/it-seems-tcp-syn-attack/m-p/1298874#M765453 <HTML><HEAD></HEAD><BODY><P>Many Thanks for your reply!</P></BODY></HTML> Sun, 11 Oct 2009 07:06:53 GMT https://community.cisco.com/t5/network-security/it-seems-tcp-syn-attack/m-p/1298874#M765453 a.hajhamad 2009-10-11T07:06:53Z