• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6614
  • Last Modified:

Deny inbound UDP

Hello

Does anyone know what this log means?

<162>Dec 18 2008 12:40:21 asafw : %ASA-2-106006: Deny inbound UDP from 172.16.1.1/2675 to 192.168.255.1/4419 on interface inside

I checked on Cisco's Web site section for Syslog message and got this info but it doesn't give me much feedback:

106006

Error Message    %ASA-2-106006: Deny inbound UDP from outside_address/outside_port to
inside_address/inside_port on interface interface_name.

Explanation    This is a connection-related message. This message is displayed if an inbound UDP packet is denied by the security policy that is defined by the specified traffic type.

Recommended Action    None required.

Any help you can provide will be grateful!

D
0
dholbanga
Asked:
dholbanga
  • 10
  • 9
10 Solutions
 
JFrederick29Commented:
Is 192.168.255.1 the ASA inside interface IP address?  All it means is that the 172.16.1.1 host send a UDP packet to 192.168.255.1 with a destination port of 4419.  The ASA dropped this packet as it isn't accepting connections on that port.  This is nothing to worry about unless you are receiving thousands of these messages.  If that is the case, you may want to look at the 172.16.1.1 host and determine what app is sending that traffic.
0
 
dholbangaAuthor Commented:
The subnet 192.168.255.0 does not exist on our network.  So does that mean that the host 172.16.1.1 is running a scanner on our network looking to place an attack of some sort?
0
 
JFrederick29Commented:
Not necessarily, the ASA is going to see any traffic destined to unknown networks since it is the default gateway to the Internet.  You would have to go back to the 172.16.1.1 host and determine what app is initiating this traffic.  Could simply be a misconfiguration of an app.  Again though, unless you are seeing thousands and thousands of these connections, I really wouldn't worry about it, the ASA is doing what it is supposed to be doing.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
dholbangaAuthor Commented:
But I do wonder if the user is doing anything to scan the network and plan any unnecessary attacks.  That's all.  I see a lot of these attempts each day.  Same with land attacks.  

Are land attacks something to worry about?  I get these messages daily:

unknown   172.58.1.99   unknown   09 Feb 2009, 07:03:04   %asa-2-106017: deny ip due to land attack from 172.58.1.99 to 172.58.1.199  
0
 
JFrederick29Commented:
Land attacks are when a packet is received with the same source and destination IP address.  I have seen this before with Avaya VoIP phones.  You would again have to track down on the host what is sending this traffic.  
0
 
dholbangaAuthor Commented:
So that means there is a potential insider who is trying to do an attack?  Or would it be a device?  It's hard to say when you get a MAC address and cannot find it.  What do you suggest I do?  Do captures on the network to find the culprit/source?
0
 
JFrederick29Commented:
Could simply be a misconfiguration or normal operation in the case of Avaya phones.  It may not be malicious at all but to know for sure, you would need find the IP address of the source workstation when it is occurring and take a look at the machine/device.  A packet capture isn't probably going to provide you any more information than source/dest IP address which you already see in the log messages.
0
 
dholbangaAuthor Commented:
A capture would provide the MAC address though.  We don't have any IP phones in our environment.  What is the best way to find the source?  What do you suggest?
0
 
JFrederick29Commented:
Is the Firewall the gateway or is an internal router?  On the router or Firewall, do a "show arp" and look for the IP address in question to get the MAC address.
0
 
dholbangaAuthor Commented:
The firewall is at the edge of the network but it is not the gateway.  We have 2 switches running HSRP before the firewall.
0
 
JFrederick29Commented:
Okay, so on the switches, look in the ARP table for the IP address and you can get the MAC address from there:

show arp
0
 
dholbangaAuthor Commented:
Thanks.  I did a "sh arp" on the firewall and the two core switches and could not find that IP address.  Maybe this is a spoofed IP that's why it's not showing up?  The last connection happened at 7:23 AM this morning and I know the ARP is not clearing out 100% because I see old IP addresses in here that have not been used in over a month.
0
 
JFrederick29Commented:
You are looking for the source IP address, right? 172.16.1.1?
0
 
dholbangaAuthor Commented:
Yes this is what I was looking for and it does not appear in the arp cache in either of the three places: firewall, core switch 1 and core switch 2.  Now I'm confused
0
 
JFrederick29Commented:
Well, they time/age out of the table or if the subnet doesn't exist, you won't see an ARP entry.  Next time you see it, ping the IP address from the router/switch that has the local subnet attached and look at the ARP table.  The ping will refresh it.
0
 
dholbangaAuthor Commented:
Once I find the MAC address... Is there an easy way to locate a device on a network with thousands of network connections?  Or is there a way to block the MAC address out of the network from the firewall?
0
 
JFrederick29Commented:
You don't want to block it since you don't know if it is legitimate or not.  As along as you have managed switches throughout the network, you can track down the MAC address using the "show mac-add add <mac address>" command assuming Cisco switches.  Keep hopping switch to switch until you find the end user port.
0
 
dholbangaAuthor Commented:
That is really good advice!  But what's the command to block our a MAC address from the ASA firewall?  If there is such a command.
0
 
JFrederick29Commented:
Not by MAC address, you would need to specify the IP address.  Keep in mind that the Firewall is dropping the traffic already which is the same thing it would do with a MAC filter anyway...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

  • 10
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now