[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ASA 5510 w/ IPS TCP SYN Host Sweep (Newbie)

Posted on 2008-11-03
5
Medium Priority
?
3,750 Views
Last Modified: 2012-05-05
I'm new so hang on.
We have a Cisco ASA 5510 with a IPS senor and we look pretty good but I am getting the following informational events across the network.
Any information about what is going on would be great. As far as I can tell the PCs are scanning for some reason.

Thanks
Paul

informational      11/03/2008      14:21:14      ASA      TCP SYN Host Sweep      3030/0      10.124.x.x      65.55.197.248                  31      31

Event ID      1225729791310581506
Severity      informational
Host ID      X-IPS
Application Name      sensorApp
Event Time      11/03/2008 13:35:30
Sensor Local Time      10/03/2008 13:35:30
Signature ID      3030
Signature Sub-ID      0
Signature Name      TCP SYN Host Sweep
Signature Version      S2
Signature Details      
Interface Group      vs0
VLAN ID      0
Interface      GigabitEthernet0/1
Attacker IP      10.124.x.x
Protocol      tcp
Attacker Port      3936
Attacker Locality      OUT
Target IP      65.55.12.249
Target Port      
Target Locality      OUT
Target OS      unknown unknown (relevant)
Actions      
Risk Rating      TVR=medium ARR=relevant
Risk Rating Value      31
Threat Rating      31
Context Data      
Packet Data      
Event Summary      0
Initial Alert      
Summary Type      
Final Alert      
Event Status      New
Event Notes      
      
0
Comment
Question by:PaulDub
  • 3
  • 2
5 Comments
 
LVL 10

Expert Comment

by:kyleb84
ID: 22871895
Ignore it, it's just the PCs looking for Windows updates / genuine licensing.

65.55.12.249 is Microsoft, try it: http://65.55.12.249/

0
 

Author Comment

by:PaulDub
ID: 22878139
Sorry I should have used another message that wasn't Microsoft. Here is a group of them from one PC. I did whois a few of them yahoo, facebook and I get a lot of Level 3 communications. I'm just wondering why. Thanks for your reply.

informational      11/04/2008      10:30:10      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            63.135.80.48                  31      31
informational      11/04/2008      10:24:47      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            64.4.52.189                  31      31
informational      11/04/2008      10:28:31      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            64.86.183.80                  31      31
informational      11/04/2008      10:19:50      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            64.152.208.68                  31      31
informational      11/04/2008      09:42:55      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            65.54.195.188                  31      31
informational      11/04/2008      10:26:55      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            66.114.53.13                  31      31
informational      11/04/2008      10:28:50      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            74.125.19.167                  31      31
informational      11/04/2008      10:31:05      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            74.125.95.127                  31      31
informational      11/04/2008      10:27:29      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            75.126.132.37                  31      31
informational      11/04/2008      10:29:20      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            192.147.161.210                  31      31
informational      11/04/2008      10:26:32      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            205.177.95.71                  31      31
informational      11/04/2008      10:26:18      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            205.177.95.103                  31      31
informational      11/04/2008      10:00:24      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            208.111.168.7                  31      31
informational      11/04/2008      09:49:48      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            209.191.92.114                  31      31
informational      11/04/2008      09:51:54      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            209.191.92.114                  31      31
informational      11/04/2008      10:29:48      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            216.178.38.222                  31      31
informational      11/04/2008      10:30:48      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            216.178.39.217                  31      31

Paul
0
 

Author Comment

by:PaulDub
ID: 22887689
More points added.
0
 
LVL 10

Accepted Solution

by:
kyleb84 earned 2000 total points
ID: 22902198
"Signature 3030 fires when 15 or more unique TCP SYN packets are detected from a single source IP address to a number of different destination IP
addresses"

- A user goes to visit Facebook, a SYN packet is sent.
- There are say 8 different images/content servers for facebook, each supplying different parts of the web page.
- There are 10 different AD servers that facebook integrates into it's web page as well.

- Each of these servers required the PC to initiate a TCP connection (HTTP)
- The first packet sent of every TCP connection is a SYN packet.

20 SYN packets are detected to different servers in less than say 5 seconds, which would give you that alert.

This would be very common for LARGE web sites like myspace and facebook, microsoft - all of which would have many different servers collectively holding content for every web page.

There is nothing sinister about these "alerts" you've listed.

In a real security event, the method is called "TCP SYN flooding" and is a DoS attack designed to consume all resources of a single host. Windows XP and many other network ready devices made > 2004 are not susceptible to these kind of attacks anymore.

In fact it's kind of pointless and could be turned off - leaving your alerts for more important - and perhaps actual security alerts.

0
 

Author Closing Comment

by:PaulDub
ID: 31512870
Well explained... Thanks
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month20 days, 10 hours left to enroll

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question