Solved

ASA 5505 - Severity 1: An attack is in progress

Posted on 2014-11-11
5
338 Views
Last Modified: 2014-11-12
I'm getting a lot of severity 1 - attack in progress on my ASA 5505:
Deny TCP reverse path check from xx.xx.xx.xx (external ip) to outside interface

I'm new to these logs; severity 1 seems serious.
Are these common? should I be concerned or is the asa just doing its job and telling me about it?

Any suggestions or input would be appreciated.
0
Comment
Question by:ShawnGray
  • 2
  • 2
5 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 40437121
Sounds like someone is directing spoof traffic at your device, you have unicast reverse-path forwarding on and
your device is dropping the traffic. Unfortunately this is too common today, but it sounds like someone is attacking  but your configuration is working to stop this unwanted traffic. How much traffic is it?


Does the ASA add a SHUN for the attacking sources?


harbor235 ;}
0
 
LVL 62

Expert Comment

by:btan
ID: 40437151
you can verify the what is contributing to this msg with also  "ip verify reverse-path interface ....". the msg is supposed to mean to alert the interface stated received a packet with the source address matching a known inside network address. The intent is to verify that source address is not spoofed and likely there is some config issue. You may want to catch these talking about the uRPF with symptoms that triggers
an incoming packet on that specific interface sources from an address that does not exist in the routing table or exists but with an exit path toward another interface against the one on which it arrives
or
In your case you have either "ip verify reverse-path interface outside" and "ip verify reverse-path interface Inside" feature enabled on both outside and inside interfaces, so what happens is when an incoming packet arrives at the outside and/or inside interface it would be subject to the source validity check (uRPF), if a route exists for that packet flow it would be passed through, otherwise if a route does not exist, or exist but not match the flow, the packet would be denied.
https://learningnetwork.cisco.com/thread/65566
https://supportforums.cisco.com/discussion/11678641/deny-tcpicmp-reverse-path-check-interface-inside
0
 

Author Comment

by:ShawnGray
ID: 40437199
Harbor235 - We had some malicious stuff on the inside of the network which was creating a shun for a couple of local machines.  They're clean and I haven't seen any issues with that.  I have not seen a shun since.

btan - thank you for the input; I'll dig in to these.

Interestingly, I've received a severity 2 "deny IP due to land attack from 'outfacing ip' to the same 'outfacing ip'
How can that happen?  btan, wondering if this could be related to what you are suggesting?

Thank you both,
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40437502
you can check out the severity level e.g. alert = sev1 and critical = sev2
http://www.cisco.com/web/about/security/intelligence/identify-incidents-via-syslog.html#3

Ref also this http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html
In Land attacks, the attacker sends the victim a TCP SYN packet that contains the same IP address as the source and destination addresses. Such a packet completely locks the victim's system. This is different as the Cisco device under denial of service - intend to bring it down to no services. Compared to the prev one that is more of IP spoofing and service is still running. Of course the source IP can be spoofed to trigger land attack .. but effort on the adversary

But overall, check out the article for mitigation measures that primarily look into filtering source IP (which can be for the prev alert sev1 if that is not due to misconfig), filtering service  (rid those unnecessary port for exploitation) and filtering dest IP (safeguarded target systems or machines). The Best Current Practices (BCP) 38 in RFC 2827 is one area to look at too. You can find out more in Cisco best practice guide below on topic of anti-spoofing (has uRPF and the BCP 38).
http://www.cisco.com/web/about/security/intelligence/firewall-best-practices.html#_Toc332806006
0
 

Author Closing Comment

by:ShawnGray
ID: 40437523
Excellent; thank you
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Any Connect Client 5 37
How to set DHCPv6 options on a Sonicwall? 13 77
Guest Wi-Fi Marketing solution required 8 60
Cisco ASA IOS 9.x - no route to host for Internet 4 48
We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now