ASA 5510 log messages %ASA-4-419002: Duplicate TCP SYN

Discussion in 'Cisco' started by Tilman Schmidt, Jan 31, 2008.

  1. An ASA 5510 I'm running as an IPSec gateway is producing lots of log
    messages like this:

    %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to outside:10.2.160.51/80 with different initial sequence number

    Why is this bad, or even worth reporting?

    Is the obvious solution ("no logging message 419002") also the correct one?

    TIA
    Tilman

    PS: The CCO Error Message Decoder doesn't even know that message and its
    only suggestion is I might have mistyped it.

    --
    Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
     
    Tilman Schmidt, Jan 31, 2008
    #1
    1. Advertising

  2. * Tilman Schmidt wrote:
    > An ASA 5510 I'm running as an IPSec gateway is producing lots of log
    > messages like this:
    >
    > %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to
    > outside:10.2.160.51/80 with different initial sequence number
    >
    > Why is this bad, or even worth reporting?


    TCP SYN packets might be lost and resend without modification. That's normal.

    TCP SYN packets with different sequence numbers are the way to go for
    opening TCP sessions using a spoofed source IP. This is a serious attack.
    It's hard to trace the sender, because you can't trust the src IP. So you
    have to got the routers backward in order to find the attacker.

    In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.
     
    Lutz Donnerhacke, Jan 31, 2008
    #2
    1. Advertising

  3. Lutz Donnerhacke wrote:
    > * Tilman Schmidt wrote:
    >> An ASA 5510 I'm running as an IPSec gateway is producing lots of log
    >> messages like this:
    >>
    >> %ASA-4-419002: Duplicate TCP SYN from inside:192.168.1.100/3650 to
    >> outside:10.2.160.51/80 with different initial sequence number
    >>
    >> Why is this bad, or even worth reporting?

    >
    > TCP SYN packets might be lost and resend without modification. That's normal.
    >
    > TCP SYN packets with different sequence numbers are the way to go for
    > opening TCP sessions using a spoofed source IP. This is a serious attack.
    > It's hard to trace the sender, because you can't trust the src IP. So you
    > have to got the routers backward in order to find the attacker.
    >
    > In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.


    Hmm. The guy with 192.168.1.100 is me. :)

    The network behind the ASA's inside interface is completely under my
    control, with the ASA being the only gateway, so I'm reasonably sure
    there's no source IP address spoofing going on.
    192.168.1.100 is a Windows Server 2003 I manage. It is running Tandberg
    videoconferencing management software (TMS) and nothing else. It is
    certainly running nothing that can be considered as "hacking software".
    10.2.160.51 is one of the managed conferencing devices, and these
    thingies actually do have a web interface for management, so an access
    to its port 80 from my management server is absolutely plausible too.
    In sum, this traffic is, with a probability bordering on certainty,
    legitimate.

    Should I complain to the software manufacturer for violation of RFCs?
    Which ones?

    Thx
    T.

    --
    Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
     
    Tilman Schmidt, Feb 1, 2008
    #3
  4. * Tilman Schmidt wrote:
    > Lutz Donnerhacke wrote:
    >> In your case, I'd suspect the guy with 192.168.1.100 to run hacking software.

    >
    > Hmm. The guy with 192.168.1.100 is me. :)


    You are an bad guy, arn't you? ;-)

    > In sum, this traffic is, with a probability bordering on certainty,
    > legitimate.


    Capture the network traffic and ask Daniel Rosen in your company to assist
    you in debugging it.
     
    Lutz Donnerhacke, Feb 4, 2008
    #4
  5. Am 04.02.2008 12:33 schrieb Lutz Donnerhacke:
    > * Tilman Schmidt wrote:
    >
    >> In sum, this traffic is, with a probability bordering on certainty,
    >> legitimate.

    >
    > Capture the network traffic and ask Daniel Rosen in your company to assist
    > you in debugging it.


    Sorry, no one with that name on our payroll. I can't help wondering
    who you think my company is.

    No hint what I should be looking for, so I can go after this myself?

    --
    Please excuse my bad English/German/French/Greek/Cantonese/Klingon/...
     
    Tilman Schmidt, Feb 17, 2008
    #5
  6. * Tilman Schmidt wrote:
    > Sorry, no one with that name on our payroll. I can't help wondering
    > who you think my company is.


    Sorry, I took it from the newsserver you are using.

    > No hint what I should be looking for, so I can go after this myself?


    You have to go youself or ask your ISP or any other expert to help you.
     
    Lutz Donnerhacke, Feb 18, 2008
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. SynDR0m3

    Syn.PC

    SynDR0m3, Jul 11, 2005, in forum: Case Modding
    Replies:
    30
    Views:
    8,217
    Flukemanguy
    Aug 30, 2005
  2. Scott Townsend
    Replies:
    0
    Views:
    6,423
    Scott Townsend
    May 24, 2006
  3. Tilman Schmidt
    Replies:
    0
    Views:
    3,290
    Tilman Schmidt
    Jan 24, 2008
  4. j1344
    Replies:
    0
    Views:
    916
    j1344
    Jul 23, 2009
  5. jcle
    Replies:
    1
    Views:
    6,462
    Gerhard Lehmann
    Aug 5, 2009
Loading...

Share This Page