Avatar of ShawnGray
ShawnGray
 asked on

ASA 5505 - Severity 1: An attack is in progress

I'm getting a lot of severity 1 - attack in progress on my ASA 5505:
Deny TCP reverse path check from xx.xx.xx.xx (external ip) to outside interface

I'm new to these logs; severity 1 seems serious.
Are these common? should I be concerned or is the asa just doing its job and telling me about it?

Any suggestions or input would be appreciated.
CiscoHardware Firewalls

Avatar of undefined
Last Comment
ShawnGray

8/22/2022 - Mon
harbor235

Sounds like someone is directing spoof traffic at your device, you have unicast reverse-path forwarding on and
your device is dropping the traffic. Unfortunately this is too common today, but it sounds like someone is attacking  but your configuration is working to stop this unwanted traffic. How much traffic is it?


Does the ASA add a SHUN for the attacking sources?


harbor235 ;}
btan

you can verify the what is contributing to this msg with also  "ip verify reverse-path interface ....". the msg is supposed to mean to alert the interface stated received a packet with the source address matching a known inside network address. The intent is to verify that source address is not spoofed and likely there is some config issue. You may want to catch these talking about the uRPF with symptoms that triggers
an incoming packet on that specific interface sources from an address that does not exist in the routing table or exists but with an exit path toward another interface against the one on which it arrives
or
In your case you have either "ip verify reverse-path interface outside" and "ip verify reverse-path interface Inside" feature enabled on both outside and inside interfaces, so what happens is when an incoming packet arrives at the outside and/or inside interface it would be subject to the source validity check (uRPF), if a route exists for that packet flow it would be passed through, otherwise if a route does not exist, or exist but not match the flow, the packet would be denied.
https://learningnetwork.cisco.com/thread/65566
https://supportforums.cisco.com/discussion/11678641/deny-tcpicmp-reverse-path-check-interface-inside
ShawnGray

ASKER
Harbor235 - We had some malicious stuff on the inside of the network which was creating a shun for a couple of local machines.  They're clean and I haven't seen any issues with that.  I have not seen a shun since.

btan - thank you for the input; I'll dig in to these.

Interestingly, I've received a severity 2 "deny IP due to land attack from 'outfacing ip' to the same 'outfacing ip'
How can that happen?  btan, wondering if this could be related to what you are suggesting?

Thank you both,
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ShawnGray

ASKER
Excellent; thank you