"Deny tcp src" in the PIX log thousands times, attack ??

Shakthi777
Shakthi777 used Ask the Experts™
on
Hi Experts,

I get "Deny tcp src" 2101 hits in my PIX (Cisco 515e) log for about 11 hours. from various IPs and to the opened ports in the inside the network.

How do I handle this situation ?

Thanks a lot for your time.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dave HoweSoftware and Hardware Engineer

Commented:
most odd. 2101 is differential GPS, but is usually seen as a udp or tcp target, not tcp source.

might I suggest (given its a pix) using the "debug packet <inside interface name> proto tcp dport 2101 " command to see if there is any outbound traffic prompting this flood? you might need the "term mon" command too, if you are sshing to the pix and not using the console cable.

Author

Commented:
Dave I think i miss lead you..

i got "Deny" messages 2101 for past 11 hours.. it's Denying from various IPs
Line 33640: 2010-10-18 10:59:45	Local7.Warning	192.168.2.254	Oct 18 2010 09:57:55: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42813 dst inside:xxx.x.xxx.9/21 by access-group "110" [0x0, 0x0]
	Line 33641: 2010-10-18 10:59:48	Local7.Warning	192.168.2.254	Oct 18 2010 09:57:58: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42813 dst inside:xxx.x.xxx.9/21 by access-group "110" [0x0, 0x0]
	Line 33642: 2010-10-18 10:59:51	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:01: %PIX-4-106023: Deny tcp src outside:210.205.6.75/38445 dst inside:xxx.x.xxx.10/21 by access-group "110" [0x0, 0x0]
	Line 33643: 2010-10-18 10:59:54	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:04: %PIX-4-106023: Deny tcp src outside:210.205.6.75/38445 dst inside:xxx.x.xxx.10/21 by access-group "110" [0x0, 0x0]
	Line 33644: 2010-10-18 11:00:09	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:19: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50386 dst outside:xxx.x.xxx.13/21 by access-group "110" [0x0, 0x0]
	Line 33645: 2010-10-18 11:00:12	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:22: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50386 dst outside:xxx.x.xxx.13/21 by access-group "110" [0x0, 0x0]
	Line 33646: 2010-10-18 11:00:15	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:25: %PIX-4-106023: Deny tcp src outside:210.205.6.75/35768 dst inside:xxx.x.xxx.14/21 by access-group "110" [0x0, 0x0]
	Line 33647: 2010-10-18 11:00:18	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:28: %PIX-4-106023: Deny tcp src outside:210.205.6.75/35768 dst inside:xxx.x.xxx.14/21 by access-group "110" [0x0, 0x0]
	Line 33648: 2010-10-18 11:00:24	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:34: %PIX-4-106023: Deny tcp src outside:210.205.6.75/46897 dst inside:xxx.x.xxx.15/21 by access-group "110" [0x0, 0x0]
	Line 33649: 2010-10-18 11:00:27	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:37: %PIX-4-106023: Deny tcp src outside:210.205.6.75/60509 dst inside:xxx.x.xxx.16/21 by access-group "110" [0x0, 0x0]
	Line 33650: 2010-10-18 11:00:30	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:40: %PIX-4-106023: Deny tcp src outside:210.205.6.75/60509 dst inside:xxx.x.xxx.16/21 by access-group "110" [0x0, 0x0]
	Line 33651: 2010-10-18 11:00:39	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:49: %PIX-4-106023: Deny tcp src outside:210.205.6.75/45046 dst inside:xxx.x.xxx.18/21 by access-group "110" [0x0, 0x0]
	Line 33652: 2010-10-18 11:00:42	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:52: %PIX-4-106023: Deny tcp src outside:210.205.6.75/45046 dst inside:xxx.x.xxx.18/21 by access-group "110" [0x0, 0x0]
	Line 33653: 2010-10-18 11:00:45	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:55: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50885 dst outside:xxx.x.xxx.19/21 by access-group "110" [0x0, 0x0]
	Line 33654: 2010-10-18 11:00:48	Local7.Warning	192.168.2.254	Oct 18 2010 09:58:58: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50885 dst outside:xxx.x.xxx.19/21 by access-group "110" [0x0, 0x0]
	Line 33655: 2010-10-18 11:00:51	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:01: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42298 dst inside:xxx.x.xxx.20/21 by access-group "110" [0x0, 0x0]
	Line 33656: 2010-10-18 11:00:54	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:04: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42298 dst inside:xxx.x.xxx.20/21 by access-group "110" [0x0, 0x0]
	Line 33657: 2010-10-18 11:00:57	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:07: %PIX-4-106023: Deny tcp src outside:210.205.6.75/41146 dst inside:xxx.x.xxx.21/21 by access-group "110" [0x0, 0x0]
	Line 33658: 2010-10-18 11:01:00	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:10: %PIX-4-106023: Deny tcp src outside:210.205.6.75/41146 dst inside:xxx.x.xxx.21/21 by access-group "110" [0x0, 0x0]
	Line 33659: 2010-10-18 11:01:03	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:13: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44848 dst outside:xxx.x.xxx.22/21 by access-group "110" [0x0, 0x0]
	Line 33661: 2010-10-18 11:01:06	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:16: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44848 dst outside:xxx.x.xxx.22/21 by access-group "110" [0x0, 0x0]
	Line 33663: 2010-10-18 11:01:21	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:31: %PIX-4-106023: Deny tcp src outside:210.205.6.75/56360 dst inside:xxx.x.xxx.25/21 by access-group "110" [0x0, 0x0]
	Line 33664: 2010-10-18 11:01:24	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:34: %PIX-4-106023: Deny tcp src outside:210.205.6.75/56360 dst inside:xxx.x.xxx.25/21 by access-group "110" [0x0, 0x0]
	Line 33665: 2010-10-18 11:01:27	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:37: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44272 dst inside:xxx.x.xxx.26/21 by access-group "110" [0x0, 0x0]
	Line 33667: 2010-10-18 11:01:30	Local7.Warning	192.168.2.254	Oct 18 2010 09:59:40: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44272 dst inside:xxx.x.xxx.26/21 by access-group "110" [0x0, 0x0]

Open in new window

Software and Hardware Engineer
Commented:
No. The usual cause of a large number of tcp packets impacting on the outside of the firewall sharing a common *source* port is that there is some host on the inside who is requesting that connection, but that there is no automatic rule being created by the NAT to allow the reply traffic back IN. If you can discover which host, then you may then understand (from examination of that host) what it is trying to do and which program is attempting to do it.

However, that log you just posted doesn't reflect that. Instead, it shows a large number of attempted connections to FTP on your entire static NAT range, from a single IP (210.205.6.75) and a dynamically allocated port. This is characteristic of a Skript Kiddie trying his shiny new "exploit finder" script, and should be reported to his ISP.

Author

Commented:
thanks for the guidance !

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial