"Deny tcp src" in the PIX log thousands times, attack ??
Hi Experts,
I get "Deny tcp src" 2101 hits in my PIX (Cisco 515e) log for about 11 hours. from various IPs and to the opened ports in the inside the network.
How do I handle this situation ?
Thanks a lot for your time.
I get "Deny tcp src" 2101 hits in my PIX (Cisco 515e) log for about 11 hours. from various IPs and to the opened ports in the inside the network.
How do I handle this situation ?
Thanks a lot for your time.
ASKER
Dave I think i miss lead you..
i got "Deny" messages 2101 for past 11 hours.. it's Denying from various IPs
i got "Deny" messages 2101 for past 11 hours.. it's Denying from various IPs
Line 33640: 2010-10-18 10:59:45 Local7.Warning 192.168.2.254 Oct 18 2010 09:57:55: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42813 dst inside:xxx.x.xxx.9/21 by access-group "110" [0x0, 0x0]
Line 33641: 2010-10-18 10:59:48 Local7.Warning 192.168.2.254 Oct 18 2010 09:57:58: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42813 dst inside:xxx.x.xxx.9/21 by access-group "110" [0x0, 0x0]
Line 33642: 2010-10-18 10:59:51 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:01: %PIX-4-106023: Deny tcp src outside:210.205.6.75/38445 dst inside:xxx.x.xxx.10/21 by access-group "110" [0x0, 0x0]
Line 33643: 2010-10-18 10:59:54 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:04: %PIX-4-106023: Deny tcp src outside:210.205.6.75/38445 dst inside:xxx.x.xxx.10/21 by access-group "110" [0x0, 0x0]
Line 33644: 2010-10-18 11:00:09 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:19: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50386 dst outside:xxx.x.xxx.13/21 by access-group "110" [0x0, 0x0]
Line 33645: 2010-10-18 11:00:12 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:22: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50386 dst outside:xxx.x.xxx.13/21 by access-group "110" [0x0, 0x0]
Line 33646: 2010-10-18 11:00:15 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:25: %PIX-4-106023: Deny tcp src outside:210.205.6.75/35768 dst inside:xxx.x.xxx.14/21 by access-group "110" [0x0, 0x0]
Line 33647: 2010-10-18 11:00:18 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:28: %PIX-4-106023: Deny tcp src outside:210.205.6.75/35768 dst inside:xxx.x.xxx.14/21 by access-group "110" [0x0, 0x0]
Line 33648: 2010-10-18 11:00:24 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:34: %PIX-4-106023: Deny tcp src outside:210.205.6.75/46897 dst inside:xxx.x.xxx.15/21 by access-group "110" [0x0, 0x0]
Line 33649: 2010-10-18 11:00:27 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:37: %PIX-4-106023: Deny tcp src outside:210.205.6.75/60509 dst inside:xxx.x.xxx.16/21 by access-group "110" [0x0, 0x0]
Line 33650: 2010-10-18 11:00:30 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:40: %PIX-4-106023: Deny tcp src outside:210.205.6.75/60509 dst inside:xxx.x.xxx.16/21 by access-group "110" [0x0, 0x0]
Line 33651: 2010-10-18 11:00:39 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:49: %PIX-4-106023: Deny tcp src outside:210.205.6.75/45046 dst inside:xxx.x.xxx.18/21 by access-group "110" [0x0, 0x0]
Line 33652: 2010-10-18 11:00:42 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:52: %PIX-4-106023: Deny tcp src outside:210.205.6.75/45046 dst inside:xxx.x.xxx.18/21 by access-group "110" [0x0, 0x0]
Line 33653: 2010-10-18 11:00:45 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:55: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50885 dst outside:xxx.x.xxx.19/21 by access-group "110" [0x0, 0x0]
Line 33654: 2010-10-18 11:00:48 Local7.Warning 192.168.2.254 Oct 18 2010 09:58:58: %PIX-4-106023: Deny tcp src outside:210.205.6.75/50885 dst outside:xxx.x.xxx.19/21 by access-group "110" [0x0, 0x0]
Line 33655: 2010-10-18 11:00:51 Local7.Warning 192.168.2.254 Oct 18 2010 09:59:01: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42298 dst inside:xxx.x.xxx.20/21 by access-group "110" [0x0, 0x0]
Line 33656: 2010-10-18 11:00:54 Local7.Warning 192.168.2.254 Oct 18 2010 09:59:04: %PIX-4-106023: Deny tcp src outside:210.205.6.75/42298 dst inside:xxx.x.xxx.20/21 by access-group "110" [0x0, 0x0]
Line 33657: 2010-10-18 11:00:57 Local7.Warning 192.168.2.254 Oct 18 2010 09:59:07: %PIX-4-106023: Deny tcp src outside:210.205.6.75/41146 dst inside:xxx.x.xxx.21/21 by access-group "110" [0x0, 0x0]
Line 33658: 2010-10-18 11:01:00 Local7.Warning 192.168.2.254 Oct 18 2010 09:59:10: %PIX-4-106023: Deny tcp src outside:210.205.6.75/41146 dst inside:xxx.x.xxx.21/21 by access-group "110" [0x0, 0x0]
Line 33659: 2010-10-18 11:01:03 Local7.Warning 192.168.2.254 Oct 18 2010 09:59:13: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44848 dst outside:xxx.x.xxx.22/21 by access-group "110" [0x0, 0x0]
Line 33661: 2010-10-18 11:01:06 Local7.Warning 192.168.2.254 Oct 18 2010 09:59:16: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44848 dst outside:xxx.x.xxx.22/21 by access-group "110" [0x0, 0x0]
Line 33663: 2010-10-18 11:01:21 Local7.Warning 192.168.2.254 Oct 18 2010 09:59:31: %PIX-4-106023: Deny tcp src outside:210.205.6.75/56360 dst inside:xxx.x.xxx.25/21 by access-group "110" [0x0, 0x0]
Line 33664: 2010-10-18 11:01:24 Local7.Warning 192.168.2.254 Oct 18 2010 09:59:34: %PIX-4-106023: Deny tcp src outside:210.205.6.75/56360 dst inside:xxx.x.xxx.25/21 by access-group "110" [0x0, 0x0]
Line 33665: 2010-10-18 11:01:27 Local7.Warning 192.168.2.254 Oct 18 2010 09:59:37: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44272 dst inside:xxx.x.xxx.26/21 by access-group "110" [0x0, 0x0]
Line 33667: 2010-10-18 11:01:30 Local7.Warning 192.168.2.254 Oct 18 2010 09:59:40: %PIX-4-106023: Deny tcp src outside:210.205.6.75/44272 dst inside:xxx.x.xxx.26/21 by access-group "110" [0x0, 0x0]
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks for the guidance !
might I suggest (given its a pix) using the "debug packet <inside interface name> proto tcp dport 2101 " command to see if there is any outbound traffic prompting this flood? you might need the "term mon" command too, if you are sshing to the pix and not using the console cable.