ASA 5510 w/ IPS TCP SYN Host Sweep (Newbie)

I'm new so hang on.
We have a Cisco ASA 5510 with a IPS senor and we look pretty good but I am getting the following informational events across the network.
Any information about what is going on would be great. As far as I can tell the PCs are scanning for some reason.

Thanks
Paul

informational      11/03/2008      14:21:14      ASA      TCP SYN Host Sweep      3030/0      10.124.x.x      65.55.197.248                  31      31

Event ID      1225729791310581506
Severity      informational
Host ID      X-IPS
Application Name      sensorApp
Event Time      11/03/2008 13:35:30
Sensor Local Time      10/03/2008 13:35:30
Signature ID      3030
Signature Sub-ID      0
Signature Name      TCP SYN Host Sweep
Signature Version      S2
Signature Details      
Interface Group      vs0
VLAN ID      0
Interface      GigabitEthernet0/1
Attacker IP      10.124.x.x
Protocol      tcp
Attacker Port      3936
Attacker Locality      OUT
Target IP      65.55.12.249
Target Port      
Target Locality      OUT
Target OS      unknown unknown (relevant)
Actions      
Risk Rating      TVR=medium ARR=relevant
Risk Rating Value      31
Threat Rating      31
Context Data      
Packet Data      
Event Summary      0
Initial Alert      
Summary Type      
Final Alert      
Event Status      New
Event Notes      
      
PaulDubAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kyleb84Commented:
Ignore it, it's just the PCs looking for Windows updates / genuine licensing.

65.55.12.249 is Microsoft, try it: http://65.55.12.249/

0
PaulDubAuthor Commented:
Sorry I should have used another message that wasn't Microsoft. Here is a group of them from one PC. I did whois a few of them yahoo, facebook and I get a lot of Level 3 communications. I'm just wondering why. Thanks for your reply.

informational      11/04/2008      10:30:10      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            63.135.80.48                  31      31
informational      11/04/2008      10:24:47      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            64.4.52.189                  31      31
informational      11/04/2008      10:28:31      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            64.86.183.80                  31      31
informational      11/04/2008      10:19:50      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            64.152.208.68                  31      31
informational      11/04/2008      09:42:55      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            65.54.195.188                  31      31
informational      11/04/2008      10:26:55      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            66.114.53.13                  31      31
informational      11/04/2008      10:28:50      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            74.125.19.167                  31      31
informational      11/04/2008      10:31:05      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            74.125.95.127                  31      31
informational      11/04/2008      10:27:29      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            75.126.132.37                  31      31
informational      11/04/2008      10:29:20      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            192.147.161.210                  31      31
informational      11/04/2008      10:26:32      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            205.177.95.71                  31      31
informational      11/04/2008      10:26:18      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            205.177.95.103                  31      31
informational      11/04/2008      10:00:24      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            208.111.168.7                  31      31
informational      11/04/2008      09:49:48      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            209.191.92.114                  31      31
informational      11/04/2008      09:51:54      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            209.191.92.114                  31      31
informational      11/04/2008      10:29:48      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            216.178.38.222                  31      31
informational      11/04/2008      10:30:48      ASA      TCP SYN Host Sweep      3030/0      x.x.x.x            216.178.39.217                  31      31

Paul
0
PaulDubAuthor Commented:
More points added.
0
kyleb84Commented:
"Signature 3030 fires when 15 or more unique TCP SYN packets are detected from a single source IP address to a number of different destination IP
addresses"

- A user goes to visit Facebook, a SYN packet is sent.
- There are say 8 different images/content servers for facebook, each supplying different parts of the web page.
- There are 10 different AD servers that facebook integrates into it's web page as well.

- Each of these servers required the PC to initiate a TCP connection (HTTP)
- The first packet sent of every TCP connection is a SYN packet.

20 SYN packets are detected to different servers in less than say 5 seconds, which would give you that alert.

This would be very common for LARGE web sites like myspace and facebook, microsoft - all of which would have many different servers collectively holding content for every web page.

There is nothing sinister about these "alerts" you've listed.

In a real security event, the method is called "TCP SYN flooding" and is a DoS attack designed to consume all resources of a single host. Windows XP and many other network ready devices made > 2004 are not susceptible to these kind of attacks anymore.

In fact it's kind of pointless and could be turned off - leaving your alerts for more important - and perhaps actual security alerts.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PaulDubAuthor Commented:
Well explained... Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.