Sitemap

Amicuk Programming Answers

Duplicate SYN attacks from Outside to Outside

-0001-11-30   Views:0

Advertisement

Hi Everyone, We have an FTP server that sits in our DMZ.  This Server has a DMZ interface and an external interface.  When trying to access the server from the internet on its external address i am getting alot of Duplicate SYN attacks.  They seem to

Hi Everyone,
We have an FTP server that sits in our DMZ.  This Server has a DMZ interface and an external interface.  When trying to access the server from the internet on its external address i am getting alot of Duplicate SYN attacks.  They seem to be coming all from the same source and port to the same destination and port.
As part of the testing i first took out any references to the FTP server in my Access rules on the ASA.  I then tried to FTP to the server from an outside internet connection and as expected get the following in the log:
4
Mar 01 2013
10:23:18
194.80.130.xx
46867
78.24.112.XX
21
Deny tcp src outside:194.80.130.XX/46867 dst outside:78.24.112.XX/21 by access-group "outside_access_in" [0x0, 0x0]
I then highlighted this entry and created an access rule for it (but changed the source port to any rather than a specific one).  When i then try and FTP to the server i get lots of SYN attacks which says the following:
4
Mar 01 2013
10:27:29
194.80.130.XX
46973
78.24.112.XX
21
Duplicate TCP SYN from outside:194.80.130.XX/46973 to outside:78.24.112.XX/21 with different initial sequence number
I am not sure why I am getting duplicate SYN attacks.  I have similar servers in the DMZ that do the same thing and they seem to be working fine.  I am pretty sure this is not actually a DOS attack.  I also have spoken to the team who manage the server and they have confirmed that the external IP is setup correctly on the server (its not that the external IP does not exist and just loops).
There is also NAT'ing setup on the ASA that NATs the dmz IP to the external IP and vice versa.
I have also noticed that whenever i create a new rule on the outside interface on my ASA it automatically adds the same descripton from another rule on the outside interface.  What does this mean?  Why could it be copying a description from anothe rule?
Your advice would be much appreciated.

The replay answer
Advertisement
Output from packet-tracer to outside address 78.24.112.xx 
It seems as though the NAT to the DMZ address is just not working.  I have set a NAT rule up "before network object NAT" rule and also set a simple object NAT, but still getting the error.
Phase: 1
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_7 any object csdpr1ft-ext
object-group service DM_INLINE_SERVICE_7
service-object tcp destination eq ssh
service-object ip
service-object tcp destination eq ftp
Additional Information:
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
  inspect ftp
service-policy global_policy global
Additional Information:
Phase: 4
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 26135657, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
Action: allow

Go to See the other 13 answers

Duplicate SYN attacks from Outside to Outside

Category:DefaultRelease time:-0001-11-30Views:130

Hi Everyone, We have an FTP server that sits in our DMZ.  This Server has a DMZ interface and an external interface.  When trying to access the server from the internet on its external address i am getting alot of Duplicate SYN attacks.  They seem to[More]

Forefront TMG detected a possible SYN attack and will protect the network accordingly

Category:DefaultRelease time:-0001-11-30Views:130

Hi ,  Some times here internet is not working for using through TMG 2010. but Local Host Internet is working. then it should restart the  Microsoft Forefront TMG Control with related Services. then again users can access the Internet  through TMG. I[More]

CSS 11050 SYN Attacks and auto-reboot

Category:DefaultRelease time:-0001-11-30Views:130

Running software version 5.00 build 2 to load balance two web servers. The DOS log shows SYN attack activity--with one incident logging 62 "attacks". I read that if this value reaches a threshold, then the machine will reboot. Can someone tell m[More]

CSS false syn attack behavior

Category:DefaultRelease time:-0001-11-30Views:130

Hi all, We are having an issue with our CSS11501,version sg0810106. our web app is using alot of web requests (up to one every 15 seconds ) for some reason occasionally our session is being dropped, and we can't connect for few minutes. i just found[More]

Protected servers under syn attack!!

Category:DefaultRelease time:-0001-11-30Views:130

The firewall dashboard has a window at the right lower portion of ASDM and it displays Top 10 protected servers under SYN attack.  Refer to the attached picture. In this scenario the server IP 82.214.154.223 seems to be getting SYN attacks from one o[More]

CSS wrongly reports SYN attacks

Category:DefaultRelease time:-0001-11-30Views:130

Hi all, in our environment we have a CSS 11800 which is connected to 3 servers which are all running the same services. Every night there is a log rotation and therefor the services are taken down one by one. The CSS forwards traffic to the service e[More]

ASA5505, SYN attack, ISP and IPS module

Category:DefaultRelease time:-0001-11-30Views:130

Our 5505 is currently being hit by a SYN attack from surprise, surprise, China.  The attack easily brings down the 5505 by hitting the 10,000 connection limit of the box.  I am currently using the shun command to try to mitigate the problem but it is[More]

SNMP - Scan and Syn Attack OIDs

Category:DefaultRelease time:-0001-11-30Views:130

Hello support community, Im looking for snmp oids for scan and syn attack, im trying to build a graph with cacti that would represent a historical with DOS and scan attacks. I have looked MIB and i dont see anything jumping at me about these OIDs. Ca[More]

SYN attack

Category:DefaultRelease time:-0001-11-30Views:130

Hi All, I have router and inside interface is connected to firewall. Last week i had attack one of my internal server  and i also loosing connectivity to inside interface of the firewall. But today suddenly internet was down when checked link was up[More]

Possible SYN Attack

Category:DefaultRelease time:-0001-11-30Views:130

I am getting an alert from 2 of my servers. The alert is worded as such: [ID 995438 kern.warning] WARNING: High TCP connect timeout rate! System (port 25) may be under a SYN flood attack! My system is Version 5.9 patch level Sun Generic_122300-38 I h[More]

Half-open SYN Attack 3050.0

Category:DefaultRelease time:-0001-11-30Views:130

Is there a trick to getting the signature 3050 ?half open syn flood? to produce an alert? The Cisco Intrusion Prevention System is on version 5.1(1p1) S229.0. We have tuned the signature to alert at 2048 half open connections. syn-flood-max-embrionic[More]

Hot
ICloud keeps duplicating my contacts, any of which I need to delete anyways.  Is there a way to delete multiple contacts at once? I  have been deleting them one at a time, but they keep reappearing.I have exactly the same problem!  I have Outlook 201 [More]
hi, i bought a nokia 6300 two days ago and have been registering it and moving my numbers across etc. but one thing i can't seem to do (and it sounds really silly) is get a callers name to appear when they ring me. whenever i receive a call, the phon [More]
On my I-pad .... Settings - iCloud there is no option anymore to turm on photostream. . After many tries with password erro, my whol harddrive was swiped. i reinstalled everything with itunes on my pc. After everything was installed, I went to settin [More]
Hello! I have an urgent Problem with the ApplicationModule Pooling in Runtime. The Application uses JSP with BC4J and is deployed on Tomcat 3.1 and MS IIS 4.0 (The Client want to use this MS-Product). We use JDev 3.1.1.2 for development. Now my Probl [More]
I am a registered annual member of Adobe creative cloud.  Suddenly I'm being asked to register a "trial" version of my already downloaded software when I try to load it.  I do not have a "trial" version of the Adobe Suite. This started [More]
I click ''Install" then I enter my password as requested. the password dialog box closes and nothing happens. That sort of things happens even with installing new flash player. Help me please!Welcome to the Apple Support Communities Try installing in [More]
I am attempting to find a way to limit the combination of sales orders during delivery creation using VL10a, VL10g which have different planned GI dates.  Currently our system is combining orders which have the same route, sold to, order combination [More]
I've scoured the discussion forums and I'm stuck on this one. When I enter a time in a cell (e.g., '3:00 PM' in A1) and do a calculation using TIME and TIMEVALUE which results in a value in B2, I noticed that the date changes. Without explicitly sayi [More]
Back when I used Windows, I used Cool Edit Pro (now Adobe Audition) and I knew how to do anything I needed to to any channel. Now that I'm using Mac and Logic Pro...I'm clueless. What I want to do is to mix 50% of a left channel into a right channel [More]
my itunes (10.6.3.25) dont show the adobe content viewer (latest version) app i downloaded from the app store. so i cant transfer files from my desktop to the ipad. any helps ?found the error !!! solved the probRead other 2 answers [More]