Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ASA 5505 - Severity 1: An attack is in progress

Posted on 2014-11-11
5
361 Views
Last Modified: 2014-11-12
I'm getting a lot of severity 1 - attack in progress on my ASA 5505:
Deny TCP reverse path check from xx.xx.xx.xx (external ip) to outside interface

I'm new to these logs; severity 1 seems serious.
Are these common? should I be concerned or is the asa just doing its job and telling me about it?

Any suggestions or input would be appreciated.
0
Comment
Question by:ShawnGray
  • 2
  • 2
5 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 40437121
Sounds like someone is directing spoof traffic at your device, you have unicast reverse-path forwarding on and
your device is dropping the traffic. Unfortunately this is too common today, but it sounds like someone is attacking  but your configuration is working to stop this unwanted traffic. How much traffic is it?


Does the ASA add a SHUN for the attacking sources?


harbor235 ;}
0
 
LVL 63

Expert Comment

by:btan
ID: 40437151
you can verify the what is contributing to this msg with also  "ip verify reverse-path interface ....". the msg is supposed to mean to alert the interface stated received a packet with the source address matching a known inside network address. The intent is to verify that source address is not spoofed and likely there is some config issue. You may want to catch these talking about the uRPF with symptoms that triggers
an incoming packet on that specific interface sources from an address that does not exist in the routing table or exists but with an exit path toward another interface against the one on which it arrives
or
In your case you have either "ip verify reverse-path interface outside" and "ip verify reverse-path interface Inside" feature enabled on both outside and inside interfaces, so what happens is when an incoming packet arrives at the outside and/or inside interface it would be subject to the source validity check (uRPF), if a route exists for that packet flow it would be passed through, otherwise if a route does not exist, or exist but not match the flow, the packet would be denied.
https://learningnetwork.cisco.com/thread/65566
https://supportforums.cisco.com/discussion/11678641/deny-tcpicmp-reverse-path-check-interface-inside
0
 

Author Comment

by:ShawnGray
ID: 40437199
Harbor235 - We had some malicious stuff on the inside of the network which was creating a shun for a couple of local machines.  They're clean and I haven't seen any issues with that.  I have not seen a shun since.

btan - thank you for the input; I'll dig in to these.

Interestingly, I've received a severity 2 "deny IP due to land attack from 'outfacing ip' to the same 'outfacing ip'
How can that happen?  btan, wondering if this could be related to what you are suggesting?

Thank you both,
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40437502
you can check out the severity level e.g. alert = sev1 and critical = sev2
http://www.cisco.com/web/about/security/intelligence/identify-incidents-via-syslog.html#3

Ref also this http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-4/dos_attacks.html
In Land attacks, the attacker sends the victim a TCP SYN packet that contains the same IP address as the source and destination addresses. Such a packet completely locks the victim's system. This is different as the Cisco device under denial of service - intend to bring it down to no services. Compared to the prev one that is more of IP spoofing and service is still running. Of course the source IP can be spoofed to trigger land attack .. but effort on the adversary

But overall, check out the article for mitigation measures that primarily look into filtering source IP (which can be for the prev alert sev1 if that is not due to misconfig), filtering service  (rid those unnecessary port for exploitation) and filtering dest IP (safeguarded target systems or machines). The Best Current Practices (BCP) 38 in RFC 2827 is one area to look at too. You can find out more in Cisco best practice guide below on topic of anti-spoofing (has uRPF and the BCP 38).
http://www.cisco.com/web/about/security/intelligence/firewall-best-practices.html#_Toc332806006
0
 

Author Closing Comment

by:ShawnGray
ID: 40437523
Excellent; thank you
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question