[scanning] drop rate-1 exceeded messages???

Unanswered Question
Aug 31st, 2009

Hello.

I am testing a new ASA firewall and am repeatedly getting the following mesages in Syslog

[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4400

Could someone please explain what these messages actually mean?

Although the "scanning" rate has been exceeded does it necessary mean any resulting action has been taken? Am I losing packets anywhere?

As I say it is in default config.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
astripat Mon, 05/03/2010 - 13:40

Hi,

Following is the decription for the log message you get. You are getting this because you have "threat detection enabled"

733100

Error Message    %ASA-4-733100: Object drop rate rate_ID exceeded. Current burst rate
is rate_val per second, max configured rate is rate_val; Current average rate is
rate_val per second, max configured rate is rate_val; Cumulative total count is
total_cnt

Explanation    The specified object in the syslog message has exceeded the specified burst threshold rate or average threshold rate. The object can be drop activity of a host, TCP/UDP port, IP protocol, or various drops due to potential attacks. It indicates the system is under potential attack.

•Object—The general or particular source of a drop rate count, which might include the following:

- Firewall

- Bad pkts

- Rate limit

- DoS attck

- ACL drop

- Conn limit

- ICMP attk

- Scanning

- SYN attck

- Inspect

- Interface

(A citation of a particular interface object might take a number of forms. For example, you might see "80/HTTP" that would signify port 80, with well-known protocol HTTP.)

•rate_ID—The configured rate that is being exceeded. Most objects can be configured with up to three different rates for different intervals.

•rate_val—A particular rate value.

•total_cnt—The total count since the object was created or cleared.

The following three examples show how these variables occur:

For an interface drop due to a CPU or bus limitation:

"%ASA-4-733100: [Interface] drop rate 1 exceeded. Current burst rate is 1 per second, max configured rate is 8000; Current average rate is 2030 per second, max configured rate is 2000; Cumulative total count is 3930654."

For a scanning drop due to potential attacks:

"ASA-4-733100: [Scanning] drop rate-1 exceeded. Current burst rate is 10 per second_max configured rate is 10; Current average rate is 245 per second_max configured rate is 5; Cumulative total count is 147409 (35 instances received)

For bad packets due to potential attacks:

"%ASA-4-733100: [Bad pkts] drop rate 1 exceeded. Current burst rate is 0 per second, max configured rate is 400; Current average rate is 760 per second, max configured rate is 100; Cumulative total count is 1938933"

Recommended Action    Perform the following steps according to the specified object type that appears in the message:

1. If the object in the syslog message is one of the following:

–Firewall

–Bad pkts

–Rate limit

–DoS attck

–ACL drop

–Conn limit

–ICMP attck

–Scanning

–SYN attck

–Inspect

–Interface

Check whether the drop rate is acceptable for the running environment.

2. Adjust the threshold rate of the particular drop to an appropriate value by running the threat-detection rate xxx command, where xxx is one of the following:

–acl-drop

–bad-packet-drop

–conn-limit-drop

–dos-drop

–fw-drop

–icmp-drop

–inspect-drop

–interface-drop

–scanning-threat

–syn-attack

3. If the object in the syslog message is a TCP or UDP port, an IP protocol, or a host drop, check whether the drop rate is acceptable for the running environment.

4. Adjust the threshold rate of the particular drop to an appropriate value by running the threat-detection rate bad-packet-drop command.

Note: If you do not want the drop rate exceed warning to appear, you can disable it by running the no threat-detection basic-threat command.

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html


HTH

Ashu

pkampana Mon, 05/03/2010 - 13:46

The error is indeed due to threat-detection (introduced in ASA 8.0). It alerts you for some weird traffic burst.

But unless you have explicitly configured it, it does not drop anything.

I hope it helps.

PK

mikedelafield Mon, 05/03/2010 - 13:47

So am i right in assuming that no action is actually being taken, it is simply reporting that some kind of drop rate statistic limit has been reached?

dtochilovsky Mon, 05/03/2010 - 13:45

I think you are seeing a built in threat protection of the ASA that shows up in logs. Looks like your firewall is hit with a lot of scan traffic (nmap oor other port scanning tool).

Look at the following link for the explanation of the message you are seeing in the logs: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml#sol6

"Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the 3-way handshake."

HTH.

Dmitry.

pkampana Mon, 05/03/2010 - 14:02

Yes, it is a threshold that you exceeded.

But threat detection will not drop unless you tell it to. The default behavior is to just alert (generate syslog).

PK

mikedelafield Wed, 05/19/2010 - 02:20

Thats great thanks, although i still don't completely understand

The messages say Drop Rate Exceeded and I presume this relates to drops on ACLs

and yet i am hardly seeing any actually Denys coming through on the syslog

Should this not correlate in some way?

Or do the drops relate to some other form of "Drop"?

Actual message;

[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 17 per second, max configured rate is 5; Cumulative total count

pkampana Wed, 05/19/2010 - 05:53

It does not refer to ACL drops.

The threat detection feature has some internal thresholds for traffic and when you exceed them it will throw a log. The thresholds are here http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html

Your syslogs "[ Scanning] drop rate-1 exceeded." mean the you have exceeded the "Scanning attack detected" threshold.

I hope it is clear.

PK

Actions

Login or Register to take actions

This Discussion

Posted August 31, 2009 at 11:48 PM
Stats:
Replies:8 Avg. Rating:
Views:20850 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446