ASA logs validation required

subhojithalder198 · ‎08-09-2013

Hi ,

We are using Public IP Pool from one of the ISP 144.36.251.0/24 in between the pool some of the Public IP's are assign the varous project with PAT in ASA

But some of the IP's are free(means kept for future project use)

On the Cisco ASA's 5580 logs, we are getting this message for most of the free IP's

Aug 8 00:14:33 Aug 08 2013 00:15:21 bngfw2135 : %ASA-3-106014: Deny inbound icmp src Outside:176.117.112.65 dst Outside:144.36.251.224 (type 8, code 0)
Aug 8 00:22:16 Aug 08 2013 00:23:04 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 192.95.53.235/80 to 144.36.251.224/44257 flags SYN ACK on interface Outside
Aug 8 00:39:53 Aug 08 2013 00:40:41 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 221.180.18.158/6000 to 144.36.251.224/1433 flags SYN on interface Outside
Aug 8 00:51:52 Aug 08 2013 00:52:41 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 121.97.149.31/42266 to 144.36.251.224/3389 flags SYN on interface Outside
Aug 8 00:51:55 Aug 08 2013 00:52:44 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 121.97.149.31/42266 to 144.36.251.224/3389 flags SYN on interface Outside
Aug 8 00:52:01 Aug 08 2013 00:52:50 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 121.97.149.31/42266 to 144.36.251.224/3389 flags SYN on interface Outside
Aug 8 01:18:57 Aug 08 2013 01:19:45 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 211.138.138.42/6000 to 144.36.251.224/1433 flags SYN on interface Outside
Aug 8 01:44:15 Aug 08 2013 01:45:04 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 108.35.102.70/50316 to 144.36.251.224/12858 on interface Outside
Aug 8 01:44:15 Aug 08 2013 01:45:04 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 108.35.102.70/50316 to 144.36.251.224/12858 on interface Outside
Aug 8 01:44:15 Aug 08 2013 01:45:04 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 108.35.102.70/50316 to 144.36.251.224/12858 on interface Outside
Aug 8 01:44:18 Aug 08 2013 01:45:07 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 108.35.102.70/50316 to 144.36.251.224/12858 on interface Outside
Aug 8 01:44:40 Aug 08 2013 01:45:25 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 108.35.102.70/50316 to 144.36.251.224/12858 on interface Outside
Aug 8 02:11:59 Aug 08 2013 02:12:48 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 85.214.251.10/54846 to 144.36.251.224/5631 flags SYN on interface Outside
Aug 8 02:36:54 Aug 08 2013 02:37:43 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 60.190.216.164/6000 to 144.36.251.224/6666 flags SYN on interface Outside
Aug 8 02:39:58 Aug 08 2013 02:40:47 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 203.110.175.150/18031 to 144.36.251.224/8080 flags SYN on interface Outside
Aug 8 02:54:29 Aug 08 2013 02:55:18 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 192.95.53.235/80 to 144.36.251.224/55608 flags SYN ACK on interface Outside
Aug 8 02:57:49 Aug 08 2013 02:58:38 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 192.187.102.74/59512 to 144.36.251.224/19 on interface Outside
Aug 8 04:26:05 Aug 08 2013 04:26:54 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 117.198.218.220/35035 to 144.36.251.224/1433 flags SYN on interface Outside
Aug 8 04:53:36 Aug 08 2013 04:54:25 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 192.95.53.235/80 to 144.36.251.224/8540 flags SYN ACK on interface Outside
Aug 8 05:00:27 Aug 08 2013 05:01:16 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 115.238.246.70/6000 to 144.36.251.224/3389 flags SYN on interface Outside
Aug 8 05:24:18 Aug 08 2013 05:25:08 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 173.242.121.199/38608 to 144.36.251.224/19 on interface Outside
Aug 8 05:40:24 Aug 08 2013 05:41:14 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 96.254.171.2/54049 to 144.36.251.224/3128 flags SYN on interface Outside
Aug 8 05:40:25 Aug 08 2013 05:41:15 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 96.254.171.2/54049 to 144.36.251.224/3128 flags SYN on interface Outside
Aug 8 05:40:27 Aug 08 2013 05:41:17 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 96.254.171.2/54049 to 144.36.251.224/3128 flags SYN on interface Outside
Aug 8 05:41:08 Aug 08 2013 05:41:58 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 96.254.171.2/51721 to 144.36.251.224/1080 flags SYN on interface Outside
Aug 8 05:41:09 Aug 08 2013 05:41:59 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 96.254.171.2/51721 to 144.36.251.224/1080 flags SYN on interface Outside
Aug 8 05:41:11 Aug 08 2013 05:42:01 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 96.254.171.2/51721 to 144.36.251.224/1080 flags SYN on interface Outside
Aug 8 05:41:14 Aug 08 2013 05:42:04 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 96.254.171.2/44215 to 144.36.251.224/80 flags SYN on interface Outside
Aug 8 05:41:15 Aug 08 2013 05:42:05 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 96.254.171.2/44215 to 144.36.251.224/80 flags SYN on interface Outside
Aug 8 05:45:16 Aug 08 2013 05:46:05 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 94.23.168.18/80 to 144.36.251.224/1234 flags SYN ACK on interface Outside
Aug 8 06:11:48 Aug 08 2013 06:12:37 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 113.98.255.134/4935 to 144.36.251.224/3389 flags SYN on interface Outside
Aug 8 06:13:24 Aug 08 2013 06:14:14 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 221.180.18.158/6000 to 144.36.251.224/1433 flags SYN on interface Outside
Aug 8 06:42:02 Aug 08 2013 06:42:52 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 23.88.165.105/16405 to 144.36.251.224/5060 on interface Outside
Aug 8 06:44:50 Aug 08 2013 06:45:40 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 217.199.213.13/53992 to 144.36.251.224/1080 flags SYN on interface Outside
Aug 8 07:10:46 Aug 08 2013 07:11:36 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 94.23.45.14/33889 to 144.36.251.224/80 flags SYN on interface Outside
Aug 8 07:10:47 Aug 08 2013 07:11:37 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 94.23.45.14/33889 to 144.36.251.224/80 flags SYN on interface Outside
Aug 8 07:10:49 Aug 08 2013 07:11:39 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 94.23.45.14/33889 to 144.36.251.224/80 flags SYN on interface Outside
Aug 8 07:10:53 Aug 08 2013 07:11:43 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 94.23.45.14/33889 to 144.36.251.224/80 flags SYN on interface Outside
Aug 8 07:22:10 Aug 08 2013 07:23:00 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 66.6.44.4/80 to 144.36.251.224/1234 flags SYN ACK on interface Outside
Aug 8 07:25:30 Aug 08 2013 07:26:19 bngfw2135 : %ASA-2-106007: Deny inbound UDP from 64.236.64.139/61629 to 144.36.251.224/53 due to DNS Query
Aug 8 07:30:33 Aug 08 2013 07:31:23 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 5.135.247.108/80 to 144.36.251.224/36 flags SYN ACK on interface Outside
Aug 8 07:53:45 Aug 08 2013 07:54:34 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 61.160.247.93/6000 to 144.36.251.224/1433 flags SYN on interface Outside
Aug 8 08:10:16 Aug 08 2013 08:11:06 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 192.95.53.235/80 to 144.36.251.224/18849 flags SYN ACK on interface Outside
Aug 8 09:20:19 Aug 08 2013 09:21:09 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 198.20.69.98/30477 to 144.36.251.224/81 flags SYN on interface Outside
Aug 8 10:44:47 Aug 08 2013 10:45:38 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 117.216.242.84/9641 to 144.36.251.224/1433 flags SYN on interface Outside
Aug 8 11:51:42 Aug 08 2013 11:52:32 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 123.151.42.61/12202 to 144.36.251.224/8080 flags SYN on interface Outside
Aug 8 12:06:57 Aug 08 2013 12:07:48 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 123.151.42.61/22207 to 144.36.251.224/1723 flags SYN on interface Outside
Aug 8 12:48:44 Aug 08 2013 12:49:35 bngfw2135 : %ASA-3-106014: Deny inbound icmp src Outside:113.168.186.91 dst Outside:144.36.251.224 (type 8, code 0)
Aug 8 13:06:18 Aug 08 2013 13:07:08 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 110.77.213.65/4935 to 144.36.251.224/3389 flags SYN on interface Outside
Aug 8 14:34:01 Aug 08 2013 14:34:53 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 213.186.33.5/80 to 144.36.251.224/4753 flags SYN ACK on interface Outside
Aug 8 15:39:23 Aug 08 2013 15:40:15 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 198.20.69.74/9661 to 144.36.251.224/443 flags SYN on interface Outside
Aug 8 15:40:05 Aug 08 2013 15:40:57 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 117.205.212.51/3853 to 144.36.251.224/1433 flags SYN on interface Outside
Aug 8 15:56:41 Aug 08 2013 15:57:32 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 117.220.113.142/2377 to 144.36.251.224/1433 flags SYN on interface Outside
Aug 8 16:02:34 Aug 08 2013 16:03:26 bngfw2135 : %ASA-3-106014: Deny inbound icmp src Outside:218.148.25.206 dst Outside:144.36.251.224 (type 8, code 0)
Aug 8 16:40:14 Aug 08 2013 16:41:05 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 128.233.241.14/4069 to 144.36.251.224/4445 flags SYN on interface Outside
Aug 8 17:00:52 Aug 08 2013 17:01:44 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 95.31.35.151/53408 to 144.36.251.224/3389 flags SYN on interface Outside
Aug 8 17:00:55 Aug 08 2013 17:01:47 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 95.31.35.151/53408 to 144.36.251.224/3389 flags SYN on interface Outside
Aug 8 17:15:30 Aug 08 2013 17:16:21 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 173.48.28.22/58143 to 144.36.251.224/5900 flags SYN on interface Outside
Aug 8 17:15:30 Aug 08 2013 17:16:22 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 173.48.28.22/58143 to 144.36.251.224/5900 flags SYN on interface Outside
Aug 8 17:15:31 Aug 08 2013 17:16:23 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 173.48.28.22/58143 to 144.36.251.224/5900 flags SYN on interface Outside
Aug 8 17:36:29 Aug 08 2013 17:37:20 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 220.227.90.61/51743 to 144.36.251.224/1433 flags SYN on interface Outside
Aug 8 17:48:54 Aug 08 2013 17:49:46 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 188.165.55.37/45010 to 144.36.251.224/14719 flags SYN ACK on interface Outside
Aug 8 17:57:12 Aug 08 2013 17:58:03 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 188.165.55.37/45010 to 144.36.251.224/37064 flags SYN ACK on interface Outside
Aug 8 18:21:28 Aug 08 2013 18:22:20 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 120.194.3.98/14226 to 144.36.251.224/80 flags SYN on interface Outside
Aug 8 20:18:03 Aug 08 2013 20:18:56 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 174.37.60.234/80 to 144.36.251.224/61899 flags SYN ACK on interface Outside
Aug 8 20:46:55 Aug 08 2013 20:47:48 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 5.135.154.151/80 to 144.36.251.224/59592 flags SYN ACK on interface Outside
Aug 8 20:59:34 Aug 08 2013 21:00:26 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 112.65.240.228/2731 to 144.36.251.224/3389 flags SYN on interface Outside
Aug 8 21:13:16 Aug 08 2013 21:14:08 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 221.180.18.158/6000 to 144.36.251.224/1433 flags SYN on interface Outside
Aug 8 21:13:36 Aug 08 2013 21:14:28 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 188.138.82.218/5060 to 144.36.251.224/5060 on interface Outside
Aug 8 21:24:54 Aug 08 2013 21:25:47 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 195.207.5.44/37805 to 144.36.251.224/3389 flags SYN on interface Outside
Aug 8 21:24:56 Aug 08 2013 21:25:48 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 195.207.5.44/37806 to 144.36.251.224/3389 flags SYN on interface Outside
Aug 8 22:15:40 Aug 08 2013 22:16:33 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 125.198.14.21/61744 to 144.36.251.224/12858 on interface Outside
Aug 8 22:15:40 Aug 08 2013 22:16:33 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 125.198.14.21/61744 to 144.36.251.224/12858 on interface Outside
Aug 8 22:15:44 Aug 08 2013 22:16:36 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 125.198.14.21/61744 to 144.36.251.224/12858 on interface Outside
Aug 8 22:15:50 Aug 08 2013 22:16:43 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 125.198.14.21/61744 to 144.36.251.224/12858 on interface Outside
Aug 8 22:16:02 Aug 08 2013 22:16:55 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 125.198.14.21/61744 to 144.36.251.224/12858 on interface Outside
Aug 8 22:16:27 Aug 08 2013 22:17:19 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 125.198.14.21/61744 to 144.36.251.224/12858 on interface Outside
Aug 8 22:16:56 Aug 08 2013 22:17:49 bngfw2135 : %ASA-2-106006: Deny inbound UDP from 125.198.14.21/61744 to 144.36.251.224/12858 on interface Outside
Aug 8 22:22:39 Aug 08 2013 22:23:32 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 193.198.30.65/1564 to 144.36.251.224/44237 flags SYN on interface Outside
Aug 8 22:22:42 Aug 08 2013 22:23:35 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 193.198.30.65/1564 to 144.36.251.224/44237 flags SYN on interface Outside
Aug 8 22:37:03 Aug 08 2013 22:37:56 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 5.39.36.85/30000 to 144.36.251.224/10831 flags SYN ACK on interface Outside
Aug 8 23:08:06 Aug 08 2013 23:08:58 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 123.63.125.51/52487 to 144.36.251.224/1433 flags SYN on interface Outside
Aug 8 23:42:23 Aug 08 2013 23:43:16 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 188.165.122.35/6005 to 144.36.251.224/12574 flags SYN ACK on interface Outside
Aug 8 23:42:26 Aug 08 2013 23:43:19 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 188.165.122.35/6005 to 144.36.251.224/12574 flags SYN ACK on interface Outside
Aug 8 23:42:32 Aug 08 2013 23:43:25 bngfw2135 : %ASA-2-106001: Inbound TCP connection denied from 188.165.122.35/6005 to 144.36.251.224/12574 flags SYN ACK on interface Outside

Pls suggest further, whether we are under sttack or what.

Br/Subhojit

Marvin Rhoads · ‎08-09-2013

That's pretty typical for an Internet-facing address block. It's usually indicative of port scanning.

I wouldn't call it an attack as much as reconnaissance by script kiddies.

subhojithalder198 · ‎08-09-2013

Hi,

what is the best possible way to mitigate this

We need to do some changes on ASA firewall or We need to do take up this case with ISP

In case we need to take this up with ISp what will be oyr approach.

Be/Subhojit

Marvin Rhoads · ‎08-09-2013

Your security appliance is already mitigating the probes. That's what the "Inbound TCP Connection Denied" message is telling you.

If you don't want to see that particular log message you can disable it. See this article or the Configuration Guide for an explanation.

subhojithalder198 · ‎08-09-2013

Hi,

any actionable is requird from isp side so that we did not get that hit/attack message

Any blacklisting of the IP in ISP end will resolved the issue

Br/subhojit