Strange messages in the log file

[sghezzi]

hello,

I keep on seeing a lot of strange messages in our PIX 525 6.1:

%PIX-6-106015: Deny TCP (no connection) from 209.41.103.87/80 to a.b.c.d/29297 flags ACK on interface outside
%PIX-6-106015: Deny TCP (no connection) from 209.41.103.87/80 to a.b.c.d/29297 flags ACK on interface outside
%PIX-6-106015: Deny TCP (no connection) from 209.41.103.87/80 to a.b.c.d/29297 flags ACK on interface outside
%PIX-6-106015: Deny TCP (no connection) from 195.27.240.190/80 to a.b.c.d/29600 flags ACK on interface outside
%PIX-6-106015: Deny TCP (no connection) from 195.27.240.190/80 to a.b.c.d/29600 flags ACK on interface outside

What can it be?

Thanks
Silvia

 

[thethmon]

From the Cisco error decoder (

http://www.cisco.com/cgi-bin/Support/Errordecoder):

1. %PIX-6-106015: Deny TCP (no connection) from IP_addr/port to IP_addr/port flags flags on interface int_name.
This message is logged when the PIX Firewall discards a TCP packet that has no associated connection in the PIX Firewall unit's connection table. PIX Firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the PIX Firewall discards the packet.

Recommended Action: None required unless the PIX Firewall receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.



Todd Hethmon
thethmon@hethmon.com

 

[pabica]

Unsolicited ACKs... remember the typical TCP handshake sequence of events is something like..
from the source: SYN "can we talk"
from the destination: SYN/ACK "sure"
source: ACK "cool"

after which the traffic flows back and forth..

unsolicited ACKs can be used to map networks (if the IP stack is old enough)... the bad guy sends an ACK and the unsuspecting IP stack sends back a message indicating that there was not a connection, thereby confirming the presence of the now target host...

most modern stacks will ignore the unsolicited ACK... a "large volume" indicated in the Cisco documentation means that you are under attack, or someone is trying to actively probe your address space..

the first source address at 209.41.103.87 appears to be in the UniComp Technologies Corp in Dallas... an ISP in Texas... and a web connection to that address brings up the Alliance Datacom web site... the second source at 195.27.240.190 appears to be in a Cable and Wireless address space, allocated to Digital Island a global e-business organization... a web connection to this site fails with a 404 error...

Very likely these are not attacks, but are from TCP connections that have expired... is there any correlary traffic to these two addresses earlier in the log file? try using grep to search the log file for each address... and my guess is that you will find some web browsing to these addresses..

Thanks,
Bill..
Bill Farnsworth

 

[yizhar]

HI.

> Very likely these are not attacks, but are from TCP connections that have expired
I agree with all the previous post, and will try to add my tips:
These messages can indicate a scan/attack, or a problem.
For example, if you reboot your pix for some reason, then you'll see these messages for sessions that were active while you rebooted.

So - you should check if the pix had a power cycle or reconfiguration at the time of the messages, that as stated above could cause expiration of the current active sessions.

Is a.b.c.d the same address each time?
Is a.b.c.d the address used by your "global" PAT statement?

Bye


Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar