Cisco ASA - Shun IPs/Auto update/Threatstop/Dshield

Unanswered Question
Mar 20th, 2009

Anyone using a service such as Threatstop to automatically update their SHUN rules to block the top x offending source IPs? If so, comments, suggestions?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
carenas123 Thu, 03/26/2009 - 14:37

The shun command allows you to apply a blocking function to the interface receiving the attack. Packets containing the IP source address of the attacking host are dropped and logged until the blocking function is removed manually or by the Cisco IPS master module. No traffic from the IP source address is allowed to traverse the security appliance. Any remaining connections time out as part of the normal architecture. The blocking function of the shun command is applied whether or not a connection with the specified host address is currently active.

If you use the shun command only with the source IP address of the host, then the default is 0. No further traffic from the offending host is allowed.


This Discussion