Hi,
To protect against SYN attacks we have created a global maximum to half open connections. Currently 500 embryonic connections.
It is working pretty fine now. When the maximum count is reached SYSLOG shows the following message:
| 6 |
Oct 20 2016 |
12:11:14 |
201010 |
<PRIVATE IP> |
40333 |
<PUBLIC IP> |
80 |
Embryonic connection limit exceeded 500/500 for input packet from <PRIVATE_IP>/40333 to <PUBLIC IP>/80 on interface inside |
Just need to confirm a couple of things here please:
- Direction of the connection. Is it correct that the connection is from inside (LAN) to outside (Internet)?
- How to drill down to actually list the connections made from the private IP to the outside public IP?
From what I see this is some portscanning that is taking place by compromised host residing on my network (inside). What I am trying to do is to contact my users and send them a list of all the public IPs their possibly infected host/IP is scanning along with the ports so that they take the necessary action. I do not want to start using threat-detection with SHUN before I get hold of this report.
I was thinking of sh local-host <private_IP> and looking at Conn but it lists legitimate connections too. How can I only list scanned destinations and ports only?
I am using ASA5550 by the way.
Thanks
