These connections don't come

mohamed sebaey · ‎03-22-2015

Hello

I checked my conn on my ASA , and everyday i found that ip address 111.111.111.111 hits all my internal IPs with TCP traffic . as the below:-

TCP outside 111.111.111.111:80 inside 10.0.0.128:59483, idle 0:00:02, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.37:52026, idle 0:00:02, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.31:57066, idle 0:00:02, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.164:51935, idle 0:00:02, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.164:51934, idle 0:00:02, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.128:59482, idle 0:00:02, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.163:62347, idle 0:00:00, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.53:59607, idle 0:00:03, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.34:62049, idle 0:00:03, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.128:59481, idle 0:00:06, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.37:52025, idle 0:00:06, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.31:57065, idle 0:00:06, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.164:51933, idle 0:00:06, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.163:62346, idle 0:00:07, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.34:62048, idle 0:00:07, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.53:59605, idle 0:00:08, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.53:59604, idle 0:00:10, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.34:62047, idle 0:00:10, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.31:57064, idle 0:00:13, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.128:59480, idle 0:00:13, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.37:52024, idle 0:00:13, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.31:57063, idle 0:00:13, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.164:51932, idle 0:00:13, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.163:62345, idle 0:00:14, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.37:52023, idle 0:00:15, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.53:59602, idle 0:00:17, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.34:62046, idle 0:00:17, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.128:59479, idle 0:00:20, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.37:52021, idle 0:00:20, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.31:57060, idle 0:00:20, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.164:51931, idle 0:00:20, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.163:62343, idle 0:00:21, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.53:59601, idle 0:00:24, bytes 0, flags saA
TCP outside 111.111.111.111:80 inside 10.0.0.34:62045, idle 0:00:24, bytes 0, flags saA

Everyday i have to clear conn address 111.111.111.111 , but after 20 sec all conn created again . i added the below command

access-list out extended deny tcp host 111.111.111.111 any // out access list applied on outside interface//

Any idea to stop the traffic from this IP address 111.111.111.111

thanks

Karsten Iwen · ‎03-23-2015

These connections don't come from the outside, they are initiated from your internal PCs to the outside. That could have multiple reasons like compromised PCs or just a misconfiguration.

On one of your affected PCs, you can try to find out which process is responsible for this traffic:

netstat -b -p TCP

Strange IP address with big traffic