Cisco ASA 5510 ASDM Syslog messages showing large Deny hits but why

Posted on 2015-02-19
Medium Priority
Last Modified: 2015-03-06
I have recently been looking over the Syslog from the Cisco ASA firewall and I see a lot of hits coming from one or two different IP address that hit all my IP address (class c public) scanning for port 80. I did a whois lookup on the IP and from what I see its coming from China. Its also an IP address that is listed in the Anti-Hacker website when I google searched it.

However one of them was from a company in NJ called Interserver, INC

Why would they try and hit all my IP address we own on port 80, what are they looking for, is this considered a DDOS attack.

I'm new to the Cisco ASA and just can't understand the Syslog that well and what its actually doing to my network.

They are all getting Denys however the Interserver, INC was able to get into my Avaya IP office system

Are these Spam mails trying to see where my Mail Server resides on? Is this flooding my network?

Thank you for any help you can provide
Question by:Neogeo147
  • 4
  • 3

Expert Comment

ID: 40619373
First, don't panic. There are a lot of infected machines, networks (botnets) etc, which are trying to get into your network. They try to scan:
- your public IP network
- all or at least very popular ports ( 22 - ssh, 23 - telnet, 25 - smtp, 80 - http, 443 - https, 1433 - sql, 1521 - oracle, 3389 - remote desktop)

This is machine made, as long as you have proper ACL filter declared on your ASA for inbound traffic, you don't need to panic. Internet is like a jungle, there are a lof of nice guys and unfortunatelly also a lot of bad guys.

If you have mail server, I hope you also have antispam and antivirus mail appliance - on this box you define which RBL would you like to check for spam (spamhaus, spamcop...).

You can set so called honeypot machines if you have time to play with these traffic.


For your internal LAN it is much more important that you patch clients and servers to all kind of vulnerabilities. Attackers today are waiting for victims to get to infected server and then try to inject evil code to your client.

Author Comment

ID: 40619421
So should I contact this Interserver, INC company and ask why they are blasting my Firewall scanning for open ports, etc... or is that a bad idea?

I have a barracuda in place but I still need an Antispam and antivirus for my mail appliance correct? Any good suggestions, I used to run Symantec Mail Security on my 2003 machine but now its a 2008 machine.

Expert Comment

ID: 40619453
You don't need to contact Interserver, they have nothing to do with these spammer machine. It is infected, waste of time.

Which model of Barracuda do you have?

If you have mail appliance in front of your mail server (DMZ zone), then you don't need Mail Security on 2003/2008 machine.
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!


Author Comment

ID: 40619489
Barracuda spam and virus firewall 300 (in the DMZ)

Accepted Solution

Matt earned 2000 total points
ID: 40619502
You already have antispam and antivirus appliance, Barracuda will do the work. On Barracuda try to find antispam settings and there RBL settings.

Look here:


Subscribing to External Blocklist Services

Author Closing Comment

ID: 40649507
Thanks for you for your help, sorry for the late acceptance.

Expert Comment

ID: 40649521
No problem.

Have a nice weekend.


Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question