- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2021 11:00 AM
Hi. I'm new into networking, i have bought Cisco ASA 5505, deployed is as edge router. Everything works normal.
Today i figured out maybe i just login into ASDM and check if it's really preventing of trying to logging in from outside to firewall.
Of course i had a lot of tries to open connection on ports 22,23,443 that was obvious. But i saw something what i can't explain to myself and the severity of that logs is called CRITICAL comparing to normal attempts which are called ERRORS.
That's the entries which i'm worried about:
2 Mar 11 2021 18:40:42 106001 45.57.36.145 443 192.168.1.195 46730 Inbound TCP connection denied from 45.57.36.145/443 to 192.168.1.195/46730 flags ACK on interface outside 2 Mar 11 2021 18:40:42 106001 45.57.36.145 443 192.168.1.195 46728 Inbound TCP connection denied from 45.57.36.145/443 to 192.168.1.195/46728 flags ACK on interface outside 2 Mar 11 2021 18:36:45 106001 69.16.175.10 443 192.168.1.100 45952 Inbound TCP connection denied from 69.16.175.10/443 to 192.168.1.100/45952 flags RST on interface outside 2 Mar 11 2021 18:24:56 106001 52.17.24.53 443 192.168.1.100 45668 Inbound TCP connection denied from 52.17.24.53/443 to 192.168.1.100/45668 flags FIN ACK on interface outside 2 Mar 11 2021 18:24:49 106001 34.234.28.0 443 192.168.1.100 45653 Inbound TCP connection denied from 34.234.28.0/443 to 192.168.1.100/45653 flags FIN ACK on interface outside 2 Mar 11 2021 17:44:49 106001 157.240.205.1 443 192.168.1.197 44356 Inbound TCP connection denied from 157.240.205.1/443 to 192.168.1.197/44356 flags RST on interface outside
The thing which makes me confused is normal attempts works from random port onto the well known port connection. In that case it's other way and looks like some web server would want to connect into my internal devices behind NAT. On .1.195 was Netflix running on backgroud with stopped video and also DNS says thats netflix. .1.100 is my laptop where was opened only ASDM. .1.197 was my android device connected to WiFi.
Should i be really worried about that entries or that's something normal what ASDM analyze as malicious?
Would be thankful for response,
Greets
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2021 09:36 PM
I've seen a lot of those and they always belong to old legitimate sessions, most probably the remote server never received the FIN packet and tries to resume the session.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2021 12:03 PM
Cisco Firewall do a stateful inpsection. which mean what goes from inside to outside ASA keep the record of the connection you can confirm the my using a command on asa "show conn". now if some one from outside try to initiate a connection in your case from outside ASA will block/drop the connection and log the message on syslog. unless if you allowing the connection why outside to inside. but normally you wont do that.
if you have a normal router and if you setup a logging you will noticed that there is so many bots trying to reach your network (I mean your boradband public ip address).
ofcoures, firewall give you the protection to block un-necessary traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2021 12:40 PM - edited 03-11-2021 12:40 PM
yes - i did mention about that normal attempts which i see but they're trying to connect from dynamic port to well-known port.(it's normal when they want to ssh into my edge router)
I just can't understand one thing: normally it just says something like that:
3 Mar 11 2021 20:20:49 710003 24.43.232.99 652 83.146.x.z 23 TCP access denied by ACL from 24.43.232.99/652 to outside:83.146.x.z/23
but in that case that attempts were diffirent. What exactly mean that errors - i mean here about that TCP flags exactly(about errors from 1st post)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2021 02:15 PM
The syslog message related to these errors is 106001, this message means "a TCP packet arrived for which no connection state exists in the ASA, and it was dropped".
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4768860
From your output you can determine these packets are FIN or RST....this is probably a RST/FIN flood attack
https://ddos-guard.net/en/terminology/attack_type/rst-or-fin-flood
"During an RST / FIN Flood attack, the victim server is bombarded with fake RST or FIN packets that have no connection to any of the sessions stored in the server’s database."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2021 09:36 PM
I've seen a lot of those and they always belong to old legitimate sessions, most probably the remote server never received the FIN packet and tries to resume the session.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2021 10:37 PM
@Rob Ingram seems to be an option but...are they able to flood attack devices behind NAT? I mean - something should open a path to them otherwise how they even know adressess of devices inside? Or they just put attack on random ports with hope some would reach the target? Later i will read more about that kind of attacks. Thanks.
@Massimo Baschieri that was my feeling also but they happened when i wasn't connected to anything that's why it makes me confused.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2021 11:15 PM
In my opinion the only reason why you can see internal details in the logs is because there was previously a legitimate connection between the two hosts, which has been closed for any reason.
Please take a look at the following thread:
The real question should be why the firewall knows about a closed session?
The answer could be that the firewall closed the stateful connection immediatly after seeing the fin packet, but nat entry took a little more time for being purged.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2021 12:58 AM
Ok. It looks like it's that. I changed strategy insted of not using anything i have used some websites and mail and i have same type messages from that connections but when i checked DNS info it says: facebook, netflix etc. Seems to be solved, thanks
