Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1188
Views
0
Helpful
4
Replies

I got nailed today - PIX 535 (7.0.3) Help Please

Biff98
Level 1
Level 1

‎02-28-2012 10:19 PM - edited ‎03-11-2019 03:36 PM

Hi all,

Hopefully you can help me out...  I can't decide if we've got a firewall that was exploited (possible given the old-ish code) or a host that's been compromised.

The story is this --- All of a sudden the PIX cpu load spiked to 98+%.  Pings were < 50% thus making TCP communications useless.  I eventually traced the problem down to our DMZ interface.  It eventually subsided, and after a few interface resets, things got better.

The logs are like this.....

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/52365 dst outside:YY.YY.YY.YY/58934 by access-group "acl_dmz"

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/45880 by access-group "acl_dmz"

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/41237 by access-group "acl_dmz"

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/21060 by access-group "acl_dmz"

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/21770 by access-group "acl_dmz"

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/35153 by access-group "acl_dmz"

2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/42539 by access-group "acl_dmz"

They continued at a rate of 6,500 or so connections per second.

This undoubtedly brought the firewall to it's knees.

I took a good long look at the host and it's not obviously hacked.  More inspection tomorrow.

Any thoughts on if this could have been the firewall being exploited?  Thanks very much in advance.

Labels:
0 Helpful
4 Replies 4

svaish
Level 1
Level 1

‎03-05-2012 01:21 AM

You should first check if the traffic was legetimate or not. If not then check the host for malicious activity.

Sachin

0 Helpful

Biff98
Level 1
Level 1
In response to svaish

‎03-05-2012 06:27 AM

I continued looking at the host.  The likelihood of that host being able to send that much traffic is VERY low.  After further inspection the likelikhood of that host being hacked is also VERY low.

Thanks anyway.

0 Helpful

svaish
Level 1
Level 1
In response to Biff98

‎03-05-2012 06:57 AM

How did you isolate the issue to this host?

Did you trace the MAC address?

Sachin

0 Helpful

hobbe
Level 7
Level 7
In response to Biff98

‎03-05-2012 07:04 AM

The likelyhood is either that you have done changes in your access-list or that your host was compromised and that it was used to try to attack and DOS a server (wich we all know as YY.YY.YY.YY now.

my guess would be the second option.

same program (same port) is sending UDP messages to many different ports on another system ?

highly irregular traffic pattern i would say.

but perfect to fill up someones InternetlLink

Good luck

HTH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card