05-29-2011 10:58 AM - edited 03-11-2019 01:39 PM
Any ideas on how to take care of this one. I have checked my NAT statements and nothing out of the ordinary there.
May 29 10:56:30 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324026 for internet:66.75.164.90/53 to dmz:10.0.0.50/54442 duration 0:00:00 bytes 118
May 29 10:56:30 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324027 for internet:66.75.164.90/53 to dmz:10.0.0.50/35174 duration 0:00:00 bytes 118
May 29 10:56:30 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324028 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/39467 (24.199.12.35/39467)
May 29 10:56:30 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324028 for internet:66.75.164.90/53 to dmz:10.0.0.50/39467 duration 0:00:00 bytes 80
May 29 10:56:30 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324029 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/51151 (24.199.12.35/51151)
May 29 10:56:30 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324063 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/60028 (24.199.12.35/60028)
May 29 10:56:30 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324062 for internet:66.75.164.90/53 to dmz:10.0.0.50/35822 duration 0:00:00 bytes 118
May 29 10:56:30 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324064 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/36502 (24.199.12.35/36502)
May 29 10:56:30 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324063 for internet:66.75.164.90/53 to dmz:10.0.0.50/60028 duration 0:00:00 bytes 118
May 29 10:56:30 172.16.0.254 gateway %ASA-6-302014: Teardown TCP connection 324001 for internet:173.194.8.212/80 to inside:172.16.0.239/59375 duration 0:00:05 bytes 2555479 <snp_drop_none>
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 172.16.0.239/59375 to 173.194.8.212/80 flags RST on interface inside
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 172.16.0.239/59375 to 173.194.8.212/80 flags RST on interface inside
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 172.16.0.239/59375 to 173.194.8.212/80 flags RST on interface inside
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 172.16.0.239/59375 to 173.194.8.212/80 flags RST on interface inside
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:30 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324064 for internet:66.75.164.90/53 to dmz:10.0.0.50/36502 duration 0:00:00 bytes 80
May 29 10:56:34 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:34 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324069 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/53037 (24.199.12.35/53037)
May 29 10:56:34 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:34 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:34 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/61510 flags ACK on interface internet
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324123 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/56249 (24.199.12.35/56249)
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324122 for internet:66.75.164.90/53 to dmz:10.0.0.50/49909 duration 0:00:00 bytes 118
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324123 for internet:66.75.164.90/53 to dmz:10.0.0.50/56249 duration 0:00:00 bytes 80
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324124 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/42127 (24.199.12.35/42127)
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 322707 for internet:66.75.164.90/53 to dmz:10.0.0.50/33909 duration 0:02:01 bytes 31
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324125 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/46576 (24.199.12.35/46576)
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324124 for internet:66.75.164.90/53 to dmz:10.0.0.50/42127 duration 0:00:00 bytes 118
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324126 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/51146 (24.199.12.35/51146)
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324125 for internet:66.75.164.90/53 to dmz:10.0.0.50/46576 duration 0:00:00 bytes 118
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324126 for internet:66.75.164.90/53 to dmz:10.0.0.50/51146 duration 0:00:00 bytes 80
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324127 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/38131 (24.199.12.35/38131)
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324128 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/35403 (24.199.12.35/35403)
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324127 for internet:66.75.164.90/53 to dmz:10.0.0.50/38131 duration 0:00:00 bytes 118
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324129 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/42772 (24.199.12.35/42772)
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324128 for internet:66.75.164.90/53 to dmz:10.0.0.50/35403 duration 0:00:00 bytes 118
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302016: Teardown UDP connection 324129 for internet:66.75.164.90/53 to dmz:10.0.0.50/42772 duration 0:00:00 bytes 80
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302015: Built outbound UDP connection 324130 for internet:66.75.164.90/53 (66.75.164.90/53) to dmz:10.0.0.50/54368 (24.199.12.35/54368)
May 29 10:56:34 172.16.0.254 gateway %ASA-2-106017: Deny IP due to Land Attack from 24.199.12.35 to 24.199.12.35
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302014: Teardown TCP connection 324131 for internet:24.199.12.35/25 to dmz:10.0.0.50/39317 duration 0:00:00 bytes 0 looping-address
May 29 10:56:34 172.16.0.254 gateway %ASA-6-302014: Teardown TCP connection 324074 for internet:173.194.8.212/80 to inside:172.16.0.239/59376 duration 0:00:04 bytes 1767079 TCP Reset-I
May 29 10:56:34 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/47957 flags ACK on interface internet
May 29 10:56:34 172.16.0.254 gateway %ASA-6-106015: Deny TCP (no connection) from 173.194.8.212/80 to 24.199.12.34/47957 flags ACK on interface internet
Running ASA 8.4
05-29-2011 11:10 AM
Hi Jimmy,
If you want to further investigate which particular host is sending the lan attack, then you might need to take captutres on the firewall. The captures would be as follows:
access-list cap permit ip ho 24.199.12.35 ho 24.199.12.35
capture capin access-list cap interface inside
captures capo access-list cap interface outside.
After applying captures, if you see the log again, the check in the captures:
show cap capin detail
show cap capo detail
you will get the mac-address of the host sending the attack, track it down in network.
Hope this helps.
Thanks,
Varun
05-29-2011 01:23 PM
Did as described, but what's wierd is that nothing got captured on either of the acl's.
I let it run over an hour.
Any other suggestions.
05-29-2011 04:45 PM
Hi Jimmy...
Apply the capture to all your interfaces. Expect something in the capture the next time you see the syslog. Once you have a packet captured, you'll use the source MAC to identify where it came from.
05-29-2011 05:21 PM
I see nothing in any of the captures when I set them up. Here's what I used
access-list cap permit ip ho 24.199.12.35 ho 24.199.12.35
capture cap-inside access-list cap interface inside
capture cap-internet access-list cap interface internet
capture cap-dmz access-list cap interface dmz
After I applied this I waited after I saw 5 instances in the syslog on the server before I killed it.
05-29-2011 07:22 PM
Ok then, lets tweak the captures a bit.:
lets use the ACL;
access-list casp permit ip any ho 24.199.12.35
capture cap-inside access-list cap interface inside
capture cap-internet access-list cap interface internet
capture cap-dmz access-list cap interface dmz
and, then when you see any instance of attack, collect the captures in pcap format, here's how to do it.
from the browser window:
https://
https://
https://
save the files and open them in wireshark, analyze the captures to see, where you have the source and destination as same, and open the capture to chek the mac of source.
Thanks,
Varun
05-29-2011 09:35 PM
Reverted back to the 8.2 and the issue went away.
Also fixed other issues I'm having as well.
Thank you all for helping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide