05-28-2013 01:45 PM - edited 03-11-2019 06:50 PM
looks like i am under attack.
How can i block these connections? 10.10.101.33 is not ip address of any of my internal machine
TCP OUTSIDE 42.237.252.206:1433 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.205:6673 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.205:135 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.205:3306 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.205:1433 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.204:6673 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.204:135 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.204:3306 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.204:1433 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.203:6673 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.203:135 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.203:3306 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.203:1433 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.202:6673 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.202:135 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.202:3306 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.202:1433 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.201:6673 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.201:135 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.201:3306 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.201:1433 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.200:6673 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
TCP OUTSIDE 42.237.252.200:135 INSIDE 10.10.101.33:8888, idle 0:00:00, bytes 0, flags saA
05-28-2013 01:54 PM
Hi,
To me it seems that the connections is indeed built from a host behind the INSIDE interface towards Internet.
Are you saying that you dont even have a network with the 10.10.101.x/yy in your LAN? Or just that you shouldnt have a host with that IP address?
One thing to make ASA check the routing table against a source IP address on the INSIDE could be achieved with the following command
ip verify reverse-path interface INSIDE
Have you tried to determine where the traffic is coming from?
Naturally you could also block the connection with ACL from ever trying to form through the firewall.
- Jouni
05-28-2013 02:07 PM
Hi i dont have this subnet in my LAN, on my inside traffic just give stars since no vlan of said subnet.
yes it looks to be coming from inside, but on my inside core switch, i dont show any ARP or route for this strange IP.
not sure how to find it
ip verify reverse-path interface INSIDE Doest this command cause any CPU Spike? since i am running in production right now, though with slow internet response due to above issue.
How can i find the source? its kind of fake source.
05-28-2013 02:17 PM
Hi,
I am not sure on the commands effect on the performance.
Either you use the command or block the connections with ACL and then start tracking down the host causing this.
The command I suggested will essentially check the ASAs routing table against the source IP address. If the routing table doesnt contain that IP address or a network to which it belongs to then the ASA drops the packet.
Is there alot of connection attempts on your firewall constantly? Are you able to check the core switch from where the traffic volume is higher to track down the host?
Is the core switch a L3 device or is the network behind the ASA purely L2?
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide