ASA5505, SYN attack, ISP and IPS module

Similar Messages

• ASA5505 un-responsive after installing ASA-SSC-AIP-5 IPS module

  Hello,
  Can anyone help?
  I have a pair of ASA 5505 firewalls in a failover configuration. Everything works correctly until I install the IPS module into the secondary firewall. When install I can no longer ping the firewall from the inside network. We do not have an external network set up at present.
  I have connected to the secondary firewall via the console. Issues the command "session 1" and can then get to the IPS. I have set the IPS hostname and given it an address on the interal network. I have set the ACL on the IPS to permit the inside range.
  The results are that we are unable to reach the ASA or the IPS on the internal range. The primary firewall is no longer able to ping the inside address of the secondary firewall. As soon as I remove the IPS modue all returns to normal. Im not sure what would be causing this. If anyone can tell me where they think I went wrong that would be great.
  Thanks

  This sounds like a IP issue some where on the ASA, or IPS module. Did you run a capture on the ASA, and the IPS module to see if the respones are arriveing? On the issue, you can use the "capture interface " on the ASA, and the "packet display expression host ". This will help you determin if there is a ARP, or some other IP related issue on the network.
  I hope this helps,
  Rafael

• Forefront TMG detected a possible SYN attack and will protect the network accordingly

  Hi ,  Some times here internet is not working for using through TMG 2010. but Local Host Internet is working. then it should restart the 
  Microsoft Forefront TMG Control with related Services. then again users can access the Internet  through TMG.
  I check the Event Viewer in Server. it shows below Error Log.
  Forefront TMG detected a possible SYN attack and will protect the network accordingly
  what should for this ?
  Regards, COMDINI

  Hello,
  An offending host attempts to flood Forefront TMG with half-open TCP connections by sending numerous TCP SYN messages to a Forefront TMG server and not completing the TCP handshake, leaving the TCP connections half-open.
  Please enable logging to identified this hosts and then check if it is infected by viruses or malware programs.
  Please see the value of the number of Maximum half-open TCP connections in Flood Mitigation settings for more information.
  Once your problem is solved, you have to see "Forefront TMG is no longer experiencing a SYN attack." message.
  This
  posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Microsoft Student Partner 2010
  / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator:
  Security
  Microsoft Certified Systems Engineer:
  Security
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist:
  Windows 7, Configuring
  Microsoft Certified IT Professional: Enterprise
  Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

• CSS 11050 SYN Attacks and auto-reboot

  Running software version 5.00 build 2 to load balance two web servers. The DOS log shows SYN attack activity--with one incident logging 62 "attacks". I read that if this value reaches a threshold, then the machine will reboot. Can someone tell me what the guidelines are for this? Are there any other events that can cause the switch to auto reboot? Thanks!

  First, you should definitely upgrade.
  5.0(2) is VERY VERY OLD.
  Next, a box never reload by itself on purpose or because it reached a certain threshold.
  If there is an auto-reboot, this means the box crash and this is not normal.
  Gilles.

• SNMP - Scan and Syn Attack OIDs

  Hello support community,
  Im looking for snmp oids for scan and syn attack, im trying to build a graph with cacti that would represent a historical with DOS and scan attacks. I have looked MIB and i dont see anything jumping at me about these OIDs. Can you please help me on finding these?
  Thanks,
  Delmiro

  I opened a casa with TAC, and they stated that these oids are not supported. I thought i would post my findings here incase anyone else was looking for them.

• Duplicate SYN attacks from Outside to Outside

  Hi Everyone,
  We have an FTP server that sits in our DMZ.  This Server has a DMZ interface and an external interface.  When trying to access the server from the internet on its external address i am getting alot of Duplicate SYN attacks.  They seem to be coming all from the same source and port to the same destination and port.
  As part of the testing i first took out any references to the FTP server in my Access rules on the ASA.  I then tried to FTP to the server from an outside internet connection and as expected get the following in the log:
  4
  Mar 01 2013
  10:23:18
  194.80.130.xx
  46867
  78.24.112.XX
  21
  Deny tcp src outside:194.80.130.XX/46867 dst outside:78.24.112.XX/21 by access-group "outside_access_in" [0x0, 0x0]
  I then highlighted this entry and created an access rule for it (but changed the source port to any rather than a specific one).  When i then try and FTP to the server i get lots of SYN attacks which says the following:
  4
  Mar 01 2013
  10:27:29
  194.80.130.XX
  46973
  78.24.112.XX
  21
  Duplicate TCP SYN from outside:194.80.130.XX/46973 to outside:78.24.112.XX/21 with different initial sequence number
  I am not sure why I am getting duplicate SYN attacks.  I have similar servers in the DMZ that do the same thing and they seem to be working fine.  I am pretty sure this is not actually a DOS attack.  I also have spoken to the team who manage the server and they have confirmed that the external IP is setup correctly on the server (its not that the external IP does not exist and just loops).
  There is also NAT'ing setup on the ASA that NATs the dmz IP to the external IP and vice versa.
  I have also noticed that whenever i create a new rule on the outside interface on my ASA it automatically adds the same descripton from another rule on the outside interface.  What does this mean?  Why could it be copying a description from anothe rule?
  Your advice would be much appreciated.

  Output from packet-tracer to outside address 78.24.112.xx 
  It seems as though the NAT to the DMZ address is just not working.  I have set a NAT rule up "before network object NAT" rule and also set a simple object NAT, but still getting the error.
  Phase: 1
  Type: ACCESS-LIST
  Subtype: log
  Result: ALLOW
  Config:
  access-group outside_access_in in interface outside
  access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any object csdpr1ft-ext
  object-group service DM_INLINE_SERVICE_7
  service-object tcp destination eq ssh
  service-object ip
  service-object tcp destination eq ftp
  Additional Information:
  Phase: 2
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 3
  Type: INSPECT
  Subtype: inspect-ftp
  Result: ALLOW
  Config:
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect ftp
  service-policy global_policy global
  Additional Information:
  Phase: 4
  Type: FOVER
  Subtype: standby-update
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 5
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  Phase: 7
  Type: FLOW-CREATION
  Subtype:
  Result: ALLOW
  Config:
  Additional Information:
  New flow created with id 26135657, packet dispatched to next module
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  Action: allow

• How do I use Cisco MARS to monitor two ASA (active/stby) with IPS modules?

  Hi
  The two ASA with IPS modules are in active/standby mode. When I try to add both the two IP (active/standby) into the MARS, the MARS will complain duplicated hostnames.
  How to setup MARS to monitor ASA with IPS with active standby topology?
  Thanks!

  Hi,
  The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
  Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
  In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
  Don't forget that you have to manually replicate all IPS configuration every time you make a change.
  HTH
  Andrew.

• IPS modules in Cisco ASA 5510 Active/Standby pair.

  All, I am looking to add the IPS module to my ASA 5510's. I am contemplating only purchasing one module and placing it in the active ASA. I am willing to accept that in a failure scenario I will loose the IPS functionality until the primary ASA is recovered. I have not had a chance to talk to my SE to see if this is even possible. Has anyone attempted a deployment such as this? Will it work and is it supported?
  Sent from Cisco Technical Support iPad App

  Ok, that is what I needed to know.  The purpose of us having an active/standby ASA is to keep the business up and going for the very rare times there could be an active ASA failure.  The purpose for the IPS would be to help protect and inspect traffic and is not necessary to keep the business running.  If we implement IPS I am not worried at all if during the times when the primary ASA is down (hasn't been down for over three years now) we lose the IPS funcationality.  This is not worth the $1000 extra per year to us.
  Thanks for the responses though.  That answers my questions.

• Prime 2.0 and IPS

  Hi Guys
  Can integrate my Ciso IPS to the Cisco Prime 2.0 and How....
  thanks

  Not in any meaningful way.
  If you have a Cisco IPS appliance (or IPS module in an ASA), it can be managed either via IPS Device Manager (IDM), IPS Manager Express (IME) or Cisco Security Manager (CSM).
  Newer ASA CX modules with IPS service are managed via PRSM.
  Of course Cisco Sourcefire IPS sensors are managed via Defense Center.

• Trend micro and IPS

  Hello,
  I want to buy an ASA5510 + SSM for my lan.
  The goal is :
  - Make URL filtering/blocking within work hours
  - Deny some application like IM, P2P, web radio, during work hours.
  Trend Micro is good for the first think : url filtering by categories
  But is not good for blocking IM, ... (only check port 80 http)
  So, is it possible on an ASA to have Trend Micro and IPs working on the same appliance ?
  If no, what is the solution?
  Thx

  Hi.
  you can only install one module into the ASA. so yes, you can't have both the CSC and the SSM module in the same asa 5510.
  however the ASA does support url filtering via Websense or Secure Computing SmartFilter (formerly N2H2) . so if you have a any of those servers, you can configure the ASA to do the url filtering, and install the ssm ips module into the ASA to do the IM blocking.
  more info on asa web traffic filtering:
  http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_filter.html#wp1069318
  Regards,
  Fadi.
  if this answers your question please mark the thread as resolved.

• CSS false syn attack behavior

  Hi all,
  We are having an issue with our CSS11501,version sg0810106.
  our web app is using alot of web requests (up to one every 15 seconds )
  for some reason occasionally our session is being dropped, and we can't connect for few minutes.
  i just found out that the source ip address of the client is showed as a source for "syn attack" when i issue "show dos".
  does the CSS block my legitimate traffic as suspected syn attack?
  if so how can i work around it?
  why does it pick it as syn attack how can i improve its false detection?
  Can anyone help me with this?
  thanks,
  Lior

  Thanks Gilles,
  Indeed the CSS doesn't block anything (I wish it would have been more explicit in the documents, except writing that the dos feature cannot be disabled).
  However It was a problem that caused by the CSS and I write this here just in case someone else will encounter the same.
  I use CSS for many years now, but this is the first time that i used it on a very connection intensive application and in such an envirounment, and this is why the issue became a visible problem.
  CSS and ASA was connected on the same network, with the CSS interface configured as a default gateway on the hosts.
  However the CSS sends ICMP redirects packets to the hosts injecting a "better" route to different external IP addresses using the ASA interface IP address. That cause connections from different IP addresses to be blocked for a period of 10 minutes (default time that an ICMP redirect injected route will stay in the routing table of windows server2003) because the routing table on the host has a "better" route which is not the CSS's interface.
  Together with the fact that I was using sticky session content rule based on sticky-srcip, that caused an outage for 10 minutes for different IP addresses on a regular basis.
  I have sorted it out by disabling icmp Redirect on the windows hosts registry:
  "\\HKLM\system\CurrentControlSet\Services\Tcpip\Parameters\"
  change EnableICMPRedirect to "0" by default its "1"
  reboot the hosts, and you will see an immediate drop in syn attack indications on the CSS, hinting that the problem has been solved.
  I read somewhere that there's an option to disable ICMP redirect packets from the CSS as well, but the other trick did that for me.
  Thanks again gilles for your enlightment
  Regards,
  Lior

• ASA SSM IPS module upgrade won't work

  Hello all,
  I'm trying to upgrade the IPS sig's on an ASA5520 with a SSM IPS module. I'm trying to upgrade the system to 5.1.1 to further upgrade the device with no luck.
  I followed these steps provided by Cisco.com:
  1. Log in to the ASA.
  2. Enter enable mode:
  asa# enable
  3. Configure the recovery settings for ASA-SSM:
  asa (enable)# hw-module module 1 recover configure
  NOTE: If you make an error in the recovery configuration, use the
  hw-module module 1 recover stop command to stop the system reimaging
  and then you can correct the configuration.
  4. Specify the TFTP URL for the system image:
  Image URL [tftp://0.0.0.0/]:
  Example:
  Image URL [tftp://0.0.0.0/]: tftp://10.20.30.40/IPS-SSM-K9-sys-1.1-a-5.1-1.img
  5. Specify the command and control interface of ASA-SSM:
  Port IP Address [0.0.0.0]:
  Example:
  Port IP Address [0.0.0.0]: 11.21.31.41
  6. Leave the VLAN ID at 0.
  VLAN ID [0]:
  7. Specify the default gateway of the ASA-SSM:
  Gateway IP Address [0.0.0.0]:
  Example:
  Gateway IP Address [0.0.0.0]: 11.22.33.44
  8. Execute the recovery:
  asa# hw-module module 1 recover boot
  9. Periodically check the recovery until it is complete.
  NOTE: The status reads "Recovery" during recovery and reads "Up" when
  reimaging is complete.
  AFter #8 it just goes back to the enable prompt. A 'sh module' lists the device as 'recover' and hangs FOREVER.... I tested the TFTP server which the new image resides on, and the TFTP is working fine. I don't see any attempts or downloads from the TFTP server for over an hour.
  I opened a Ciscop TAC on this and not receiving alot of help...
  Please help!!!:)
  Thanks
  Chris Serafin
  [email protected]

  The recovery using this method can takes upwards of 30 minutes, and in some cases even longer.
  How long have you left the SSM in the "recovery" state?
  There may be something wrong in the config you entered. when that happens the SSM can go into a continuous reboot cycle trying to do the recovery.
  Execute "debug module-boot" on the console of the ASA.
  The debug output will show you the ROMMON output of the SSM itself. (The SSM has it's own ROMMON. The recovery boot command sends the settings made during the recover configure command to the SSM's ROMMON).
  If the ROMMON is experiencing a problem in trying to download the tftp image you should now see that ROMMON error message.
  Some typical problems I have seen:
  1) Wrong IP given for the sensor.
  2) Wrong IP given for the gateway (the gateway must exist on the same network as the sensor) this problem usually happens when using a non-standard netmasked network.
  3) Not having the sensor's command and control port plugged into the right network. The external port of the SSM itself is where the IP is being applied. You need to ensure that the extenral port of the SSM is plugged into the right network for that IP.
  4) The tftp server is not reachable from the network where the sensor's command and control port is attached. Some users think that if the ASA itself can reach the tftp server that the SSM will also be able to. This is not always the case. It is best to use a tftp server on the same network as the IP provided to the SSM. Or to test the tftp server from another machine on the same network as the SSM.
  5) The file name is wrong. Check the captialization especially.
  6) The file is not in the default directory on the tftp server. If the file is in a subdirectory you will need to add that subdirectory to the URL:
  tftp://10.20.30.40/subdirectoryname/filename
  7) The tftp is timing out.
  There are 2 things that can cause this:
  a) The tftp server is remote, and it takes too long to download the file. The ROMMON does have limits on the number of retries and per packet timeouts (but they are not user configurable). Try using a tftp server local to the SSM.
  b) The switch that the SSM connects to has spanning-tree running and spanning-tree does not complete before the SSM ROMMON times out for the tftp attempt. The tftp attempt happens immediately upon ROMMON startup and link up. But with a switch the switch port may be in a "Listen" or "Learn" state for 40 seconds before the box can actually talk on the network. In some cases the tftp download attempts started as soon as link up, and may timeout even before the spanning-tree completes. To work around this configure "spanning-tree portfast" on the switchport. Spanning-tree will connect the port into the vlan immediately rather than 40 seconds later.
  If it was a config problem when configuring the recovery settings, then there is a "recover stop" command on the ASA.
  It will stop the reboot cycle from happening.
  Let the module come up with the old image.
  Then correct your "recover configure" settings, and try the "recover boot" again.
  Another alternative:
  Stop the recovery "recover stop"
  Let it boot into the old image.
  If it was a 5.0 version, then you can actually upgrade to 5.1 using the sensor's own CLI "upgrade" command. It is actually the preferred method.
  The "recover" from the ASA will wipe the box clean and load a fresh image.
  The "upgrade" from the sensor will convert your 5.0 config into a 5.1 config while installing 5.1.
  5.1 upgrade file:
  IPS-K9-min-5.1-1g.pkg
  http://www.cisco.com/cgi-bin/tablebuild.pl/ips5
  It can be applied through the sensor's CLI upgrade command, or pushed directly through IDM, or applied by CSM.
  The "recover" should be limited to disaster recovery. When you can't access the SSM at all, or the files on the SSM have been corrupted.
  For normal upgrades you want to use "upgrade" files done through the sensor itelf (CLI, IDM, or CSM).

• Can't get SNMP data from ASA's AIP 10 IPS module

  Hi,
  I have just had the AIP 10 IPS module installed onto my ASA 5520. I have now setup the SNMP and my SNMP server (solarwinds) can detect the CPU, Memory and sensors to monitor.
  The problem I have is the SNMP server is getting data form the sensors but not data from the CPU or memory mibs, is something denying this from the IPS?

  The following are some IDS mibs, Cisco forgot to link them on the MIBs page located at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
  ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-ENHANCED-MEMPOOL-MIB.my
  ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-PROCESS-MIB.my
  ftp://ftp-sj.cisco.com/pub/mibs/v2/CISCO-CIDS-MIB.my
  ftp://ftp-sj.cisco.com/pub/mibs/oid/CISCO-CIDS-MIB.oid
  ftp://ftp-sj.cisco.com/pub/mibs/oid/CISCO-ENHANCED-MEMPOOL-MIB.oid
  Here is the forula we are using to get the memory utlization percentage(in BMC Dashboard):
  average ( select 1.3.6.1.4.1.9.9.221.1.1.1.1.8 ) / ( average ( select 1.3.6.1.4.1.9.9.221.1.1.1.1.8 ) + average ( select 1.3.6.1.4.1.9.9.221.1.1.1.1.7 ) ) * 100
  Which translates to:
  average ( select cempmempoolfree ) / ( average ( select cempmempoolfree ) + average ( select cempmempoolused ) ) * 100
  I'm unable to find the formula for the CPU, but try loading the PROCESS mib for that.
  average ( select 1.3.6.1.4.1.9.9.109.1.1.1.1.5 )
  Please rate if helpful.
  Regards
  Farrukh

• Protected servers under syn attack!!

  The firewall dashboard has a window at the right lower portion of ASDM and it displays Top 10 protected servers under SYN attack.  Refer to the attached picture.
  In this scenario the server IP 82.214.154.223 seems to be getting SYN attacks from one of my internal network PC. This server 82.214.154.223 does not belong to us, a whois query tells me that the IP originates from Poland with no hostname address.
  I should have been seeing attacks only for servers belonging to my network right? Like an attack from Outside public IP towards my Server public IP, or is it that this feature provides two way statistics where it also displays attack originating from my lan towards outside world. From what I see, I feel it displays two way attacks. Correct me if I am wrong.
  Regards

  Hi,
  below is the output of the # sh threat-detection rate command. can anyone explain me the vulnerabilities and risks by looking at the figures below. thanks
                            Average(eps)    Current(eps) Trigger      Total events
    10-min ACL  drop:                  1               0       0               672
    1-hour ACL  drop:                  1               0       0              4654
    10-min SYN attck:                  0               0       0               386
    1-hour SYN attck:                  0               0       0              3428
    10-min  Scanning:                  2               1   55503              1248
    1-hour  Scanning:                  2               2   18455              9177
    10-min Bad  pkts:                  0               0       0               184
    1-hour Bad  pkts:                  0               0       0              1089
    10-min  Firewall:                  1               0       0               862
    1-hour  Firewall:                  1               1       0              5749
    10-min DoS attck:                  0               0       0                 6
    1-hour DoS attck:                  0               0       0                 6
    10-min Interface:                  1               0       0              1034
    1-hour Interface:                  1               1       0              6616
  regards,
  AAMIR

• CSS wrongly reports SYN attacks

  Hi all,
  in our environment we have a CSS 11800 which is connected to 3 servers which are all running the same
  services. Every night there is a log rotation and therefor the services are taken down one by one.
  The CSS forwards traffic to the service even if it's down.
  From the time the sevice is down i can see always a huge amount of SYN attacks reported in the traplog.
  The reason for this is that the server sends a RST for every SYN request (which is normal as the port
  is down).
  We are running on SW version 5.00 build 63.
  Can you tell me how long it takes until the CSS detects the service as down and if there is a newer release which maybe detects a RST as a valid response to a SYN and therefor doesn't report a SYN attack.

  I don't see why you do not shutdown the service manually during maintenance ?
  Regarding how fast the CSS detect a service down it depends on the sort of keepalive you have configured.
  If you are using icmp keepalive the CSS may still believe the service is active if it continues to respond to ping.
  Again the fastest way for the CSS to detect a service down is to configure it be down.
  No release will accept the RST.
  This is your job to make sure the CSS does not forward traffic to a service down.
  Gilles.