ASA5506-x SHowing False SYN Attack

andysmithor · ‎02-02-2018

Hello,

This could be due to pure ignorance on my part, but I noticed odd behavior on one of the ASA's I manage.

There were a couple clients showing as the source IP for a SYN Attack. Of course, I jumped to malware and scanned the heck out of one of the clients. In the meantime, I arrived onsite and jumped on my machine. While montoring, my device was flagged as a SYN Attack.

After doing a little more digging, it looks like some legit traffic (Microsoft, Logmein, etc.) is being flagged. Is this simply because of the breakdown of the TCP handshake?

Ajay Saini · ‎03-14-2018

Hello,

It could be a false positive, depends on the feature which triggered these logs - was it threat-detection or MPF policy. If you are sure that its a false positive, you can tweak the policy to increase the values which are a criteria for syn attack on ASA.

Where did you find the false syn attack , was it syslog or some other tool?

-

HTH

AJ

Florin Barhala · ‎03-14-2018

Where exactly can IPS TCP Syn threshold can be changed?

Can you share maybe the GUI menu or CLI command if the case?

Thanks!

andysmithor · ‎03-14-2018

It's a view segment in the ADMIN GUI for the ASA. I check it out occasionally and they always seem to point to legit IP's. I think it's just dropped packets triggering the alert. No issues with the network because of this, just looking into it.

Thanks for the reply.

Ajay Saini · ‎03-14-2018

Hello,

If you are referring to 'top usage status', that setting is controlled by threat detection feature which can be played around by below:

configuration > firewall > threat detection

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/asdm77/general/asdm-77-general-config/intro-asdm.html

-

HTH

AJ