0

I have thousands of "Deny TCP reverse path check from 10.60.60.X to 10.60.6X.X on interface outside"

The IP addresses for the source and destination hosts are all over the board, and the interface is either outside or inside, for internal and external subnets. It's very odd. My network is experiencing a very high packet loss rate for the past 2 days, and I can't figure out how to stop this spoof attack that I believe I am under. Has anyone seen this before?

Daniel Graves
  • 23
  • 5
  • I don't have any suggestions for this exact issue, but normally with issues like this you have no choice but to go to your upstream provider and ask them for help. By the time it's at your device, the damage is done (in terms of flooding the link, causing packet loss, etc) – Mark Henderson Sep 15 '14 at 00:51
  • Talk about the layer 2 gear between you and your ISP and give us a picture of the topology. It sounds like you could have something flaky happening at layer 2. Surely you're not using the same layer 2 device for both inside and outside, right? – Evan Anderson Sep 15 '14 at 01:26
  • `How To Stop Cisco ASA Spoof Attack` - You can't stop it. Not unless you control the attacking systems. If this activity is in fact originating upstream from you then the best you can do is to speak to your upstream provider about mitigating and minimizing the extent of the activity. They may be able to stop it from reaching you, but they can't stop the activity itself. – joeqwerty Sep 15 '14 at 02:27
  • Evan Anderson, your point was right on. We recently added a cabinet in our datacenter that wasn't physically next to our existing cabinets. I asked to have a cross connect cable be ran between our cabinets so that I could join my new cabinet to our existing network, and that's what caused all of this. Thank you for that tip. – Daniel Graves Sep 17 '14 at 14:56

0 Answers0