02-28-2012 10:19 PM - edited 03-11-2019 03:36 PM
Hi all,
Hopefully you can help me out... I can't decide if we've got a firewall that was exploited (possible given the old-ish code) or a host that's been compromised.
The story is this --- All of a sudden the PIX cpu load spiked to 98+%. Pings were < 50% thus making TCP communications useless. I eventually traced the problem down to our DMZ interface. It eventually subsided, and after a few interface resets, things got better.
The logs are like this.....
2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/52365 dst outside:YY.YY.YY.YY/58934 by access-group "acl_dmz"
2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/45880 by access-group "acl_dmz"
2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/41237 by access-group "acl_dmz"
2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/21060 by access-group "acl_dmz"
2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/21770 by access-group "acl_dmz"
2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/35153 by access-group "acl_dmz"
2012 Feb 28 ##:##:## firewall %PIX-4-106023: Deny udp src dmz:XX.XX.XX.XX/55376 dst outside:YY.YY.YY.YY/42539 by access-group "acl_dmz"
They continued at a rate of 6,500 or so connections per second.
This undoubtedly brought the firewall to it's knees.
I took a good long look at the host and it's not obviously hacked. More inspection tomorrow.
Any thoughts on if this could have been the firewall being exploited? Thanks very much in advance.
03-05-2012 01:21 AM
You should first check if the traffic was legetimate or not. If not then check the host for malicious activity.
Sachin
03-05-2012 06:27 AM
I continued looking at the host. The likelihood of that host being able to send that much traffic is VERY low. After further inspection the likelikhood of that host being hacked is also VERY low.
Thanks anyway.
03-05-2012 06:57 AM
How did you isolate the issue to this host?
Did you trace the MAC address?
Sachin
03-05-2012 07:04 AM
The likelyhood is either that you have done changes in your access-list or that your host was compromised and that it was used to try to attack and DOS a server (wich we all know as YY.YY.YY.YY now.
my guess would be the second option.
same program (same port) is sending UDP messages to many different ports on another system ?
highly irregular traffic pattern i would say.
but perfect to fill up someones InternetlLink
Good luck
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide