Scanning Attacks & Syn Attacks

Answered Question
Aug 5th, 2008
User Badges:

Hey all, I have enabled basic threat detection, and also enabled auto shun in hopes to speed up our web server. Using the CLI I have found 2 latest attack host list and 1 in the latest target host list. But nothing in the shun list. I understand that the shun list is enabled once some thresholds are exceeded but I've got nothing shun'ed yet. And my possible scan and Syn attack rates is always fluctuating from 1 - 25. Is there something I've missed?

Correct Answer by robertson.michael about 8 years 10 months ago

Hi,


Yes, that chart will include all attackers since these are based on the statistics calculated by threat-detection. Once the attackers are established and known, it will decide whether or not to shun them based on whether or not you explicitly exempt them.


If you remove the exempt portion threat-detection command, you should see that the attacker is then shunned.


Hope that helps.


-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
robertson.michael Tue, 08/05/2008 - 14:22
User Badges:
  • Silver, 250 points or more

Hi,


I would recommend checking out the config guide for threat-detection:


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1072953


Specifically, you'll need the following command before the ASA will automatically shun attackers:


ASA(config)# threat-detection scanning-threat shun


If everything looks like it is in order, please post the output of 'show run threat'


-Mike

netperception Wed, 08/06/2008 - 06:39
User Badges:

Result of the command: "show run threat"


threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics



netperception Wed, 08/06/2008 - 07:17
User Badges:

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address INT.21_SERVER1_ALPHA 255.255.255.255

threat-detection statistics

robertson.michael Wed, 08/06/2008 - 09:59
User Badges:
  • Silver, 250 points or more

Hi,


In your previous post, you did not have 'threat-detection scanning-threat shun' enabled. However, in the second post you do. Was this showing the change you made?


With the 'threat-detection scanning-threat shun' command do you still not see attackers being shunned?


-Mike

netperception Wed, 08/06/2008 - 10:28
User Badges:

Result of the command: "threat-detection scanning-threat shun"


The command has been sent to the device

....

Result of the command: "show threat-detection scanning-threat"


Latest Target Host List:

207.61.11.0

Latest Attacker Host List:

INT.21_SERVER1_ALPHA


robertson.michael Wed, 08/06/2008 - 10:33
User Badges:
  • Silver, 250 points or more

Hi,


So does 'show threat-detection shun' show the attacker being shunned?


-Mike

netperception Wed, 08/06/2008 - 10:47
User Badges:

Hey, sorry. Thanks btw. I did make a change after I read your first email. It made sense that nothing was being shun'ed till I turned it on through the CLI. But what led me to believe I had it turned on was that i use the desktop application to administor this and I had checked the shun check box.


To answer 'do I see attackers in my shun list'. No, for some reason I still do not, and my graph is so erratic. Fluctuates from 0 to 14 for scanning and 0 to 3 for syn. When I posted the results of 2 cli commands the first one shows some possibles, and it shows nothing is being shun'ed.

robertson.michael Wed, 08/06/2008 - 14:18
User Badges:
  • Silver, 250 points or more

Hi,


The attacker list that you posted shows:


Latest Attacker Host List:

INT.21_SERVER1_ALPHA


However, the configuration you posted was:


threat-detection scanning-threat shun except ip-address INT.21_SERVER1_ALPHA 255.255.255.255


The above line means that we should shun all attacking hosts *except* INT.21_SERVER1_ALPHA. Therefore, since this is currently the only host in the attacker list, we will not shun this host.


Do you want to shun the INT.21_SERVER1_ALPHA host? If not, your configuration is correct. If you do not want shun this host, you'd want to configure the following commands:


ASA(config)# no threat-detection scanning-threat shun except ip-address INT.21_SERVER1_ALPHA 255.255.255.255

ASA(config)# threat-detectoin scanning-threat shun

ASA# wr mem


Hope that helps.


-Mike

netperception Thu, 08/07/2008 - 05:05
User Badges:

Sure does help. My main concern is that we haven't blocked anyone yet. And the scan syn attack chart goes between 0 and 4 hiting over 10 atleast a few times an hour (but would have to verify). The chart hits 0, but most of the time is running around 1.

I just had a thought, you think the chart includes the exempted ips? So say if there's 3 that I know of and I exempt them, and they were the only ones the chart would show the exempts?

Correct Answer
robertson.michael Thu, 08/07/2008 - 16:01
User Badges:
  • Silver, 250 points or more

Hi,


Yes, that chart will include all attackers since these are based on the statistics calculated by threat-detection. Once the attackers are established and known, it will decide whether or not to shun them based on whether or not you explicitly exempt them.


If you remove the exempt portion threat-detection command, you should see that the attacker is then shunned.


Hope that helps.


-Mike

netperception Fri, 08/08/2008 - 05:44
User Badges:

Thanks Mike. I'm beginning to see hosts that are shunned. and after doing background look-up (whois stuff) on them prior I knew they were bad and now they are shunned. I guess what I had read was ok as it was a static explanation but your real time explanation matched with what happened last couple days for a great resolution.


Now, dare I ask,... have you found yourself changing any of the threshold values?


Chuck

netperception Fri, 08/08/2008 - 05:48
User Badges:

Kind of a cross post, but I have about 6 or so known IP's showing up in the top usage pie chart. I don't really care to conviently see them so is there a way to exclude the 6 ips (I even named them), so I can see the the top usage of other IP's?


I'm also reading the cli documentation but lots to read, is there a cli command to list the top X usage by ip&packets?

robertson.michael Fri, 08/08/2008 - 13:30
User Badges:
  • Silver, 250 points or more

Hi Chuck,


Here are the answers to your questions:


1. The default scanning rates are typically fine for most people, though you can adjust them with the 'threat-detection rate' command.


2. Unfortunately, there is no way to exclude these IP addresses from showing up in the statistics.


3. When 'threat-detection statistics' is enabled, you can issue the 'show threat-detection statistics top host' command. This will show you the top source and destination IP addresses and the packet rates for each.


Hope that helps.


-Mike

netperception Mon, 08/11/2008 - 06:14
User Badges:

Yes, thanks again. But I guess even in the CLI I can not view more then the top 10?

robertson.michael Mon, 08/11/2008 - 15:06
User Badges:
  • Silver, 250 points or more

Hi Chuck,


Yes, that's correct. You'll only get the top 10.


-Mike

Actions

This Discussion