Solved

ASA 5505 - Severity 1: An attack is in progress

Posted on 2014-11-11
5
328 Views
Last Modified: 2014-11-12
I'm getting a lot of severity 1 - attack in progress on my ASA 5505:
Deny TCP reverse path check from xx.xx.xx.xx (external ip) to outside interface

I'm new to these logs; severity 1 seems serious.
Are these common? should I be concerned or is the asa just doing its job and telling me about it?

Any suggestions or input would be appreciated.
0
Comment
Question by:ShawnGray
  • 2
  • 2
5 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 40437121
Sounds like someone is directing spoof traffic at your device, you have unicast reverse-path forwarding on and
your device is dropping the traffic. Unfortunately this is too common today, but it sounds like someone is attacking  but your configuration is working to stop this unwanted traffic. How much traffic is it?


Does the ASA add a SHUN for the attacking sources?


harbor235 ;}
0
 
LVL 61

Expert Comment

by:btan
ID: 40437151
you can verify the what is contributing to this msg with also  "ip verify reverse-path interface ....". the msg is supposed to mean to alert the interface stated received a packet with the source address matching a known inside network address. The intent is to verify that source address is not spoofed and likely there is some config issue. You may want to catch these talking about the uRPF with symptoms that triggers
an incoming packet on that specific interface sources from an address that does not exist in the routing table or exists but with an exit path toward another interface against the one on which it arrives
or
In your case you have either "ip verify reverse-path interface outside" and "ip verify reverse-path interface Inside" feature enabled on both outside and inside interfaces, so what happens is when an incoming packet arrives at the outside and/or inside interface it would be subject to the source validity check (uRPF), if a route exists for that packet flow it would be passed through, otherwise if a route does not exist, or exist but not match the flow, the packet would be denied.
https://learningnetwork.cisco.com/thread/65566
https://supportforums.cisco.com/discussion/11678641/deny-tcpicmp-reverse-path-check-interface-inside
0
 

Author Comment

by:ShawnGray
ID: 40437199
Harbor235 - We had some malicious stuff on the inside of the network which was creating a shun for a couple of local machines.  They're clean and I haven't seen any issues with that.  I have not seen a shun since.

btan - thank you for the input; I'll dig in to these.

Interestingly, I've received a severity 2 "deny IP due to land attack from 'outfacing ip' to the same 'outfacing ip'
How can that happen?  btan, wondering if this could be related to what you are suggesting?

Thank you both,
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40437502
you can check out the severity level e.g. alert = sev1 and critical = sev2
http://www.cisco.com/web/about/security/intelligence/identify-incidents-via-syslog.html#3

Ref also this http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html
In Land attacks, the attacker sends the victim a TCP SYN packet that contains the same IP address as the source and destination addresses. Such a packet completely locks the victim's system. This is different as the Cisco device under denial of service - intend to bring it down to no services. Compared to the prev one that is more of IP spoofing and service is still running. Of course the source IP can be spoofed to trigger land attack .. but effort on the adversary

But overall, check out the article for mitigation measures that primarily look into filtering source IP (which can be for the prev alert sev1 if that is not due to misconfig), filtering service  (rid those unnecessary port for exploitation) and filtering dest IP (safeguarded target systems or machines). The Best Current Practices (BCP) 38 in RFC 2827 is one area to look at too. You can find out more in Cisco best practice guide below on topic of anti-spoofing (has uRPF and the BCP 38).
http://www.cisco.com/web/about/security/intelligence/firewall-best-practices.html#_Toc332806006
0
 

Author Closing Comment

by:ShawnGray
ID: 40437523
Excellent; thank you
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now