Hi,
I have a pix 515 (not e), running 6.3.5, that I manage; and last week
I noticed a couple of spikes that caught my attention. (This pix is
still in limited production - thus the lack of traffic.)
From looking at MRTG it looks to me like a small amount of traffic -
2.4 MB - is entering intf2 (faces the Internet on this fw) and
generating 25MB spikes on both the inside and outside interfaces.
There is only one rule on intf2: "deny ip any any log 7". Responses to
ICMP directed at the interface is blocked. ssh from two addresses is
permitted to the interface.
I also see a steep memory usage spike at the same time on the pix.
I monitor the switch just inside the "inside" interface of the pix;
and it recorded no traffc at all at the time of the spike(s). (I want
to think this is goodness.)
The capture of the traffic on intf2 around the time of the latest spike is:
(The spike occurred just prior to 20:00:00)
INTF2_ADDR is a replacement for the firewall's Internet-facing address
19:46:39.314589 IP (tos 0x40, ttl 108, id 20485, offset 0, flags
[none], proto: ICMP (1), length: 92) 67.53.60.11 > INTF2_ADDR: ICMP
echo request, id 512, seq 54435, length 72
19:58:44.033064 IP (tos 0x0, ttl 106, id 44786, offset 0, flags
[none], proto: UDP (17), length: 404) 61.189.223.107.1148 >
INTF2_ADDR.1434: UDP, length 376
19:59:44.814868 IP (tos 0x0, ttl 44, id 277, offset 0, flags [none],
proto: UDP (17), length: 404) 59.37.66.7.3557 > INTF2_ADDR.1434: UDP,
length 376
20:04:31.665874 IP (tos 0x0, ttl 49, id 0, offset 0, flags [DF],
proto: UDP (17), length: 388) 204.16.208.74.54224 > INTF2_ADDR.1026:
UDP, length 360
20:05:19.583679 IP (tos 0x0, ttl 117, id 11500, offset 0, flags [DF],
proto: TCP (6), length: 48) 67.51.196.70.3924 > INTF2_ADDR.135: S,
cksum 0xe0fc (correct), 1744900541:1744900541(0) win 65535 <mss
1460,nop,nop,sackOK>
20:05:19.583755 IP (tos 0x0, ttl 255, id 53805, offset 0, flags
[none], proto: TCP (6), length: 48) INTF2_ADDR.135 >
67.51.196.70.3924: R, cksum 0xe0e9 (correct), 0:0(0) ack 1744900542
win 65535 <mss 1460,nop,nop,sackOK>
20:05:20.106363 IP (tos 0x0, ttl 117, id 11629, offset 0, flags [DF],
proto: TCP (6), length: 48) 67.51.196.70.3924 > INTF2_ADDR.135: S,
cksum 0xe0fc (correct), 1744900541:1744900541(0) win 65535 <mss
1460,nop,nop,sackOK>
20:05:20.106409 IP (tos 0x0, ttl 255, id 53806, offset 0, flags
[none], proto: TCP (6), length: 48) INTF2_ADDR.135 >
67.51.196.70.3924: R, cksum 0xe0e9 (correct), 0:0(0) ack 1 win 65535
<mss 1460,nop,nop,sackOK>
20:05:20.664836 IP (tos 0x0, ttl 117, id 11775, offset 0, flags [DF],
proto: TCP (6), length: 48) 67.51.196.70.3924 > INTF2_ADDR.135: S,
cksum 0xe0fc (correct), 1744900541:1744900541(0) win 65535 <mss
1460,nop,nop,sackOK>
20:05:20.664897 IP (tos 0x0, ttl 255, id 53807, offset 0, flags
[none], proto: TCP (6), length: 48) INTF2_ADDR.135 >
67.51.196.70.3924: R, cksum 0xe0e9 (correct), 0:0(0) ack 1 win 65535
<mss 1460,nop,nop,sackOK>
20:06:18.407647 IP (tos 0x0, ttl 117, id 28690, offset 0, flags [DF],
proto: TCP (6), length: 48) 67.51.196.70.3129 > INTF2_ADDR.139: S,
cksum 0xe4b7 (correct), 1891502172:1891502172(0) win 65535 <mss
1460,nop,nop,sackOK>
20:06:18.407709 IP (tos 0x0, ttl 255, id 53830, offset 0, flags
[none], proto: TCP (6), length: 48) INTF2_ADDR.139 >
67.51.196.70.3129: R, cksum 0xe4a4 (correct), 0:0(0) ack 1891502173
win 65535 <mss 1460,nop,nop,sackOK>
20:06:19.033109 IP (tos 0x0, ttl 117, id 28847, offset 0, flags [DF],
proto: TCP (6), length: 48) 67.51.196.70.3129 > INTF2_ADDR.139: S,
cksum 0xe4b7 (correct), 1891502172:1891502172(0) win 65535 <mss
1460,nop,nop,sackOK>
20:06:19.033186 IP (tos 0x0, ttl 255, id 53831, offset 0, flags
[none], proto: TCP (6), length: 48) INTF2_ADDR.139 >
67.51.196.70.3129: R, cksum 0xe4a4 (correct), 0:0(0) ack 1 win 65535
<mss 1460,nop,nop,sackOK>
20:06:19.557420 IP (tos 0x0, ttl 117, id 29000, offset 0, flags [DF],
proto: TCP (6), length: 48) 67.51.196.70.3129 > INTF2_ADDR.139: S,
cksum 0xe4b7 (correct), 1891502172:1891502172(0) win 65535 <mss
1460,nop,nop,sackOK>
20:06:19.557481 IP (tos 0x0, ttl 255, id 53832, offset 0, flags
[none], proto: TCP (6), length: 48) INTF2_ADDR.139 >
67.51.196.70.3129: R, cksum 0xe4a4 (correct), 0:0(0) ack 1 win 65535
<mss 1460,nop,nop,sackOK>
20:13:27.084605 IP (tos 0x0, ttl 108, id 52405, offset 0, flags [DF],
proto: TCP (6), length: 48) 69.182.139.230.3239 > INTF2_ADDR.4899: S,
cksum 0x3a3e (correct), 2171128073:2171128073(0) win 64512 <mss
1452,nop,nop,sackOK>
20:13:27.084681 IP (tos 0x0, ttl 255, id 53933, offset 0, flags
[none], proto: TCP (6), length: 48) INTF2_ADDR.4899 >
69.182.139.230.3239: R, cksum 0x3a2b (correct), 0:0(0) ack 2171128074
win 64512 <mss 1452,nop,nop,sackOK>
20:13:27.661907 IP (tos 0x0, ttl 108, id 52794, offset 0, flags [DF],
proto: TCP (6), length: 48) 69.182.139.230.3239 > INTF2_ADDR.4899: S,
cksum 0x3a3e (correct), 2171128073:2171128073(0) win 64512 <mss
1452,nop,nop,sackOK>
20:13:27.661968 IP (tos 0x0, ttl 255, id 53934, offset 0, flags
[none], proto: TCP (6), length: 48) INTF2_ADDR.4899 >
69.182.139.230.3239: R, cksum 0x3a2b (correct), 0:0(0) ack 1 win 64512
<mss 1452,nop,nop,sackOK>
The first packet is icmp and I thought it had an odd payload - all
"a"s - lower case - is that a standard payload?:
0000 00 02 b3 c1 7a b2 00 0e 39 88 20 08 08 00 45 40 ....z...9. ...E@
0010 00 5c 50 05 00 00 6c 01 6e 0c 43 35 3c 0b 43 33 .\P...l.n.C5<.C3
0020 cd dc 08 00 cc 06 02 00 d4 a3 aa aa aa aa aa aa ................
0030 aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa aa ................
0040 aa aa aa aa ....
I'm posting this in the hope that someone can help me understand if
this pattern of scans is indicative of any particular attack - is this
a type of teardrop attack?
Thanks,
Nick
------------------------------------------------------------------------------
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com
------------------------------------------------------------------------------
