Solved: Trying to analize attack attempts - confused about unusual entries.

raresz · ‎03-11-2021

Hi. I'm new into networking, i have bought Cisco ASA 5505, deployed is as edge router. Everything works normal.

Today i figured out maybe i just login into ASDM and check if it's really preventing of trying to logging in from outside to firewall.

Of course i had a lot of tries to open connection on ports 22,23,443 that was obvious. But i saw something what i can't explain to myself and the severity of that logs is called CRITICAL comparing to normal attempts which are called ERRORS.

That's the entries which i'm worried about:

2	Mar 11 2021	18:40:42	106001	45.57.36.145	443	192.168.1.195	46730	Inbound TCP connection denied from 45.57.36.145/443 to 192.168.1.195/46730 flags ACK  on interface outside
2	Mar 11 2021	18:40:42	106001	45.57.36.145	443	192.168.1.195	46728	Inbound TCP connection denied from 45.57.36.145/443 to 192.168.1.195/46728 flags ACK  on interface outside
2	Mar 11 2021	18:36:45	106001	69.16.175.10	443	192.168.1.100	45952	Inbound TCP connection denied from 69.16.175.10/443 to 192.168.1.100/45952 flags RST  on interface outside
2	Mar 11 2021	18:24:56	106001	52.17.24.53	443	192.168.1.100	45668	Inbound TCP connection denied from 52.17.24.53/443 to 192.168.1.100/45668 flags FIN ACK  on interface outside
2	Mar 11 2021	18:24:49	106001	34.234.28.0	443	192.168.1.100	45653	Inbound TCP connection denied from 34.234.28.0/443 to 192.168.1.100/45653 flags FIN ACK  on interface outside
2	Mar 11 2021	17:44:49	106001	157.240.205.1	443	192.168.1.197	44356	Inbound TCP connection denied from 157.240.205.1/443 to 192.168.1.197/44356 flags RST  on interface outside

The thing which makes me confused is normal attempts works from random port onto the well known port connection. In that case it's other way and looks like some web server would want to connect into my internal devices behind NAT. On .1.195 was Netflix running on backgroud with stopped video and also DNS says thats netflix. .1.100 is my laptop where was opened only ASDM. .1.197 was my android device connected to WiFi.

Should i be really worried about that entries or that's something normal what ASDM analyze as malicious?

Would be thankful for response,

Greets

Massimo Baschieri · ‎03-11-2021

I've seen a lot of those and they always belong to old legitimate sessions, most probably the remote server never received the FIN packet and tries to resume the session.

View solution in original post

Sheraz.Salim · ‎03-11-2021

Cisco Firewall do a stateful inpsection. which mean what goes from inside to outside ASA keep the record of the connection you can confirm the my using a command on asa "show conn". now if some one from outside try to initiate a connection in your case from outside ASA will block/drop the connection and log the message on syslog. unless if you allowing the connection why outside to inside. but normally you wont do that.

if you have a normal router and if you setup a logging you will noticed that there is so many bots trying to reach your network (I mean your boradband public ip address).

ofcoures, firewall give you the protection to block un-necessary traffic.

please do not forget to rate.

raresz · ‎03-11-2021

yes - i did mention about that normal attempts which i see but they're trying to connect from dynamic port to well-known port.(it's normal when they want to ssh into my edge router)
I just can't understand one thing: normally it just says something like that:

3	Mar 11 2021	20:20:49	710003	24.43.232.99	652	83.146.x.z	23	TCP access denied by ACL from 24.43.232.99/652 to outside:83.146.x.z/23

but in that case that attempts were diffirent. What exactly mean that errors - i mean here about that TCP flags exactly(about errors from 1st post)?

Rob Ingram · ‎03-11-2021

@raresz

The syslog message related to these errors is 106001, this message means "a TCP packet arrived for which no connection state exists in the ASA, and it was dropped".

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4768860

From your output you can determine these packets are FIN or RST....this is probably a RST/FIN flood attack

https://ddos-guard.net/en/terminology/attack_type/rst-or-fin-flood

"During an RST / FIN Flood attack, the victim server is bombarded with fake RST or FIN packets that have no connection to any of the sessions stored in the server’s database."

Massimo Baschieri · ‎03-11-2021

I've seen a lot of those and they always belong to old legitimate sessions, most probably the remote server never received the FIN packet and tries to resume the session.

raresz · ‎03-11-2021

@Rob Ingram seems to be an option but...are they able to flood attack devices behind NAT? I mean - something should open a path to them otherwise how they even know adressess of devices inside? Or they just put attack on random ports with hope some would reach the target? Later i will read more about that kind of attacks. Thanks.

@Massimo Baschieri that was my feeling also but they happened when i wasn't connected to anything that's why it makes me confused.

Massimo Baschieri · ‎03-11-2021

In my opinion the only reason why you can see internal details in the logs is because there was previously a legitimate connection between the two hosts, which has been closed for any reason.

Please take a look at the following thread:

https://community.cisco.com/t5/network-security/asa-106001-error-most-likely-due-to-interface-subnetting-issue/td-p/2067341

The real question should be why the firewall knows about a closed session?

The answer could be that the firewall closed the stateful connection immediatly after seeing the fin packet, but nat entry took a little more time for being purged.

raresz · ‎03-12-2021

Ok. It looks like it's that. I changed strategy insted of not using anything i have used some websites and mail and i have same type messages from that connections but when i checked DNS info it says: facebook, netflix etc. Seems to be solved, thanks