cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13936
Views
0
Helpful
15
Replies

Scanning Attacks & Syn Attacks

netperception
Level 1
Level 1

Hey all, I have enabled basic threat detection, and also enabled auto shun in hopes to speed up our web server. Using the CLI I have found 2 latest attack host list and 1 in the latest target host list. But nothing in the shun list. I understand that the shun list is enabled once some thresholds are exceeded but I've got nothing shun'ed yet. And my possible scan and Syn attack rates is always fluctuating from 1 - 25. Is there something I've missed?

1 Accepted Solution

Accepted Solutions

Hi,

Yes, that chart will include all attackers since these are based on the statistics calculated by threat-detection. Once the attackers are established and known, it will decide whether or not to shun them based on whether or not you explicitly exempt them.

If you remove the exempt portion threat-detection command, you should see that the attacker is then shunned.

Hope that helps.

-Mike

View solution in original post

15 Replies 15

Hi,

I would recommend checking out the config guide for threat-detection:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1072953

Specifically, you'll need the following command before the ASA will automatically shun attackers:

ASA(config)# threat-detection scanning-threat shun

If everything looks like it is in order, please post the output of 'show run threat'

-Mike

Result of the command: "show run threat"

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address INT.21_SERVER1_ALPHA 255.255.255.255

threat-detection statistics

Hi,

In your previous post, you did not have 'threat-detection scanning-threat shun' enabled. However, in the second post you do. Was this showing the change you made?

With the 'threat-detection scanning-threat shun' command do you still not see attackers being shunned?

-Mike

Result of the command: "threat-detection scanning-threat shun"

The command has been sent to the device

....

Result of the command: "show threat-detection scanning-threat"

Latest Target Host List:

207.61.11.0

Latest Attacker Host List:

INT.21_SERVER1_ALPHA

Hi,

So does 'show threat-detection shun' show the attacker being shunned?

-Mike

Hey, sorry. Thanks btw. I did make a change after I read your first email. It made sense that nothing was being shun'ed till I turned it on through the CLI. But what led me to believe I had it turned on was that i use the desktop application to administor this and I had checked the shun check box.

To answer 'do I see attackers in my shun list'. No, for some reason I still do not, and my graph is so erratic. Fluctuates from 0 to 14 for scanning and 0 to 3 for syn. When I posted the results of 2 cli commands the first one shows some possibles, and it shows nothing is being shun'ed.

Hi,

The attacker list that you posted shows:

Latest Attacker Host List:

INT.21_SERVER1_ALPHA

However, the configuration you posted was:

threat-detection scanning-threat shun except ip-address INT.21_SERVER1_ALPHA 255.255.255.255

The above line means that we should shun all attacking hosts *except* INT.21_SERVER1_ALPHA. Therefore, since this is currently the only host in the attacker list, we will not shun this host.

Do you want to shun the INT.21_SERVER1_ALPHA host? If not, your configuration is correct. If you do not want shun this host, you'd want to configure the following commands:

ASA(config)# no threat-detection scanning-threat shun except ip-address INT.21_SERVER1_ALPHA 255.255.255.255

ASA(config)# threat-detectoin scanning-threat shun

ASA# wr mem

Hope that helps.

-Mike

Sure does help. My main concern is that we haven't blocked anyone yet. And the scan syn attack chart goes between 0 and 4 hiting over 10 atleast a few times an hour (but would have to verify). The chart hits 0, but most of the time is running around 1.

I just had a thought, you think the chart includes the exempted ips? So say if there's 3 that I know of and I exempt them, and they were the only ones the chart would show the exempts?

Hi,

Yes, that chart will include all attackers since these are based on the statistics calculated by threat-detection. Once the attackers are established and known, it will decide whether or not to shun them based on whether or not you explicitly exempt them.

If you remove the exempt portion threat-detection command, you should see that the attacker is then shunned.

Hope that helps.

-Mike

Thanks Mike. I'm beginning to see hosts that are shunned. and after doing background look-up (whois stuff) on them prior I knew they were bad and now they are shunned. I guess what I had read was ok as it was a static explanation but your real time explanation matched with what happened last couple days for a great resolution.

Now, dare I ask,... have you found yourself changing any of the threshold values?

Chuck

Kind of a cross post, but I have about 6 or so known IP's showing up in the top usage pie chart. I don't really care to conviently see them so is there a way to exclude the 6 ips (I even named them), so I can see the the top usage of other IP's?

I'm also reading the cli documentation but lots to read, is there a cli command to list the top X usage by ip&packets?

Hi Chuck,

Here are the answers to your questions:

1. The default scanning rates are typically fine for most people, though you can adjust them with the 'threat-detection rate' command.

2. Unfortunately, there is no way to exclude these IP addresses from showing up in the statistics.

3. When 'threat-detection statistics' is enabled, you can issue the 'show threat-detection statistics top host' command. This will show you the top source and destination IP addresses and the packet rates for each.

Hope that helps.

-Mike

Yes, thanks again. But I guess even in the CLI I can not view more then the top 10?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: