Link to home
Create AccountLog in
Avatar of sciggs
sciggsFlag for United States of America

asked on

ASA 5510 - DOS or SYN Attack??

Our network at the office slowed to a halt today during operation hours.  I logged into our ASA at that point and noticed that our bandwidth for our inside and outside interfaces were completely maxed out.

While watch the ASDM syslog messages, I am seeing them roll through about 10 per second like below:  

2|Nov 06 2012|17:46:55|106001|177.40.111.69|58352|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 177.40.111.69/58352 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:55|106001|64.189.164.32|53455|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 64.189.164.32/53455 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:55|106001|72.200.200.128|61742|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 72.200.200.128/61742 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:56|106001|108.181.239.166|61636|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 108.181.239.166/61636 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:56|106006|186.107.118.172|51216|EXTERNAL IP ADDRESS|61053|Deny inbound UDP from 186.107.118.172/51216 to EXTERNAL IP ADDRESS/61053 on interface outside
2|Nov 06 2012|17:46:56|106001|70.45.82.86|63136|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 70.45.82.86/63136 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:56|106006|70.70.57.238|32245|EXTERNAL IP ADDRESS|61053|Deny inbound UDP from 70.70.57.238/32245 to EXTERNAL IP ADDRESS/61053 on interface outside
4|Nov 06 2012|17:46:56|106023|186.107.118.172|52784|EXTERNAL IP ADDRESS|61082|Deny udp src outside:186.107.118.172/52784 dst inside:EXTERNAL IP ADDRESS/61082 by access-group "out2in" [0x0, 0x0]
2|Nov 06 2012|17:46:56|106001|70.189.202.215|57055|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 70.189.202.215/57055 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:56|106006|70.189.202.215|49153|EXTERNAL IP ADDRESS|61053|Deny inbound UDP from 70.189.202.215/49153 to EXTERNAL IP ADDRESS/61053 on interface outside
2|Nov 06 2012|17:46:56|106006|99.48.165.120|21065|EXTERNAL IP ADDRESS|61053|Deny inbound UDP from 99.48.165.120/21065 to EXTERNAL IP ADDRESS/61053 on interface outside
4|Nov 06 2012|17:46:56|106023|190.78.153.219|1125|208.104.29.123|445|Deny tcp src outside:190.78.153.219/1125 dst inside:208.104.29.123/445 by access-group "out2in" [0x0, 0x0]
2|Nov 06 2012|17:46:57|106001|177.40.111.69|58352|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 177.40.111.69/58352 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:57|106001|96.255.13.175|53350|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 96.255.13.175/53350 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:57|106001|108.181.239.166|61636|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 108.181.239.166/61636 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:57|106001|74.213.125.82|58789|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 74.213.125.82/58789 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:57|106001|99.191.44.63|49328|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 99.191.44.63/49328 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:57|106001|99.253.146.31|56965|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 99.253.146.31/56965 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:57|106001|96.242.117.26|60044|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 96.242.117.26/60044 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:57|106006|96.242.117.26|33500|EXTERNAL IP ADDRESS|61053|Deny inbound UDP from 96.242.117.26/33500 to EXTERNAL IP ADDRESS/61053 on interface outside
2|Nov 06 2012|17:46:57|106001|2.83.19.213|51143|EXTERNAL IP ADDRESS|61053|Inbound TCP connection denied from 2.83.19.213/51143 to EXTERNAL IP ADDRESS/61053 flags SYN  on interface outside
2|Nov 06 2012|17:46:57|106001|74.212.229.211|63762|EXTERNAL IP ADDRESS|50526|Inbound TCP connection denied from 74.212.229.211/63762 to EXTERNAL IP ADDRESS/50526 flags SYN  on interfac

Open in new window



I replaced our IP address with "EXTERNAL IP ADDRESS".  It seems that the destination port is always 61053.  Throughout the day, it would slow down and then pick back up which killed our network speeds.  While looking at the Firewall Dashboard, everything time our bandwidth is maxed out, the Syn Attacks in the graph is high.


I'm not too experiencing with this error of Cisco.  What can I do to alleviate this so our network will not crash again tomorrow?


Thanks for any and all help.  Let me know if more info is needed.
ASKER CERTIFIED SOLUTION
Avatar of fgasimzade
fgasimzade
Flag of Azerbaijan image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account