To protect against SYN attacks we have created a global maximum to half open connections. Currently 500 embryonic connections.
It is working pretty fine now. When the maximum count is reached SYSLOG shows the following message:
|6||Oct 20 2016||12:11:14||201010||<PRIVATE IP>||40333||<PUBLIC IP>||80||Embryonic connection limit exceeded 500/500 for input packet from <PRIVATE_IP>/40333 to <PUBLIC IP>/80 on interface inside|
Just need to confirm a couple of things here please:
From what I see this is some portscanning that is taking place by compromised host residing on my network (inside). What I am trying to do is to contact my users and send them a list of all the public IPs their possibly infected host/IP is scanning along with the ports so that they take the necessary action. I do not want to start using threat-detection with SHUN before I get hold of this report.
I was thinking of sh local-host <private_IP> and looking at Conn but it lists legitimate connections too. How can I only list scanned destinations and ports only?
I am using ASA5550 by the way.
Good to hear that embryonic connection configuration is working fine. To answer your questions :
a) Yes you have analyzed it correctly connection is from inside to outside, some local machine using a random source port is making a connection to a public IP on port 80. It might be legitimate, might not be. That needs to be checked by tracking the local IP address and also utilizing its mac address and then checking the infected machine itself.
b) Well it is actually tough to just drill down with one single output, but you can try a few outputs :
sh local-host connection tcp 500
sh local-host x.x.x.x (once you identify the IP address of local user)
sh local-host connection embryonic
Unfortunately ASA does not know which is legitimate and which is not, it only takes action on the basis of the set of policies configured on it.
Hope this helps.
Thanks. I am a bit confused here about something though.
Aren't embryonic connections already considered illegitimate? Aren't they all half open and therefore sort of categorized as SYN or scan attacks?
So am I stuck with this then? We have tons of logs indicating that Embryonic attacks exceed the maximum configured.
I agree with what you say, yes embryonic connections are somewhat illegitimate and ASA is doing what it is suppose to do.
If we have continuous issues of embryonic connections limit reached, then we really need to identify the machines and track them down.
That is the only way ASA can help in this case, as it is already dropping the traffic as per configuration.
Let me know if you have any specific query in regards to this, and I will try to answer.
Great. Let me share with you my goal then.
Lets say I get numerous logs indicating a particular IP is exceeding max embryonic connection. Here is an example log message from the live network:
%ASA-6-201010: Embryonic connection limit exceeded 500/500 for input packet from StaticSiteA/36293 to 22.214.171.124/23 on interface inside
To get more details about connections I execute the command: ASA-Internet#
sh local-host StaticSiteA
Output (attached) and below is a sample of this output:
TCP outside 126.96.36.199:23 inside StaticSiteA:53385, idle 0:00:00, bytes 0, flags saA
TCP outside 188.8.131.52:30899 inside StaticSiteA:22, idle 0:00:11, bytes 249, flags UFIB
Knowing that this is a continuous and ongoing behavior with this host, my question now is, how can I pinpoint the connection details for this seemingly ongoing attack/scan from that host? Should I be looking for a particular flag for example, say saA and ignore other flags or should I be using another command altogether?
In the above example and as attached it appears that this host is continuously scanning port 23 targeting many IPs on the outside interface. Correct?
I had a look at the output and what I understand from it is that I see only two categories of flags : "saA" and "UFIB".
Going with the following link :
It is pretty clear that "saA" means that inside machine sent "syn" to an outside public IP and is waiting for a reply and thus showing the
particular connection flag.
Similarly, "UFIB" means that from outside someone initiated ssh traffic to inside host and three way handshake completed after which the outside
IP also sent a FIN after some data transfer.
So I think the local machine has a legitimate access from outside, but the question is why is the internal machine initiating random SYN packets.
We must check the local machine.
Honestly these are the commands that we use usually and some that I mentioned above and yes you are right, connection flasg are very important.
On basis of that, we need to take action.
ASA can only tell about the packets and connections, then we need to get the traffic checked at the local machine.
If it is in directly connected subnet, then you can also look for it's mac address and can check further on the local machine.
Please rate helpful posts.