[scanning] drop rate-1 exceeded messages???

Unanswered Question
Aug 31st, 2009

Hello.

I am testing a new ASA firewall and am repeatedly getting the following mesages in Syslog

[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4400

Could someone please explain what these messages actually mean?

Although the "scanning" rate has been exceeded does it necessary mean any resulting action has been taken? Am I losing packets anywhere?

As I say it is in default config.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
astripat Mon, 05/03/2010 - 13:40

Hi,

Following is the decription for the log message you get. You are getting this because you have "threat detection enabled"

733100

Error Message    %ASA-4-733100: Object drop rate rate_ID exceeded. Current burst rate
is rate_val per second, max configured rate is rate_val; Current average rate is
rate_val per second, max configured rate is rate_val; Cumulative total count is
total_cnt

Explanation    The specified object in the syslog message has exceeded the specified burst threshold rate or average threshold rate. The object can be drop activity of a host, TCP/UDP port, IP protocol, or various drops due to potential attacks. It indicates the system is under potential attack.

•Object—The general or particular source of a drop rate count, which might include the following:

- Firewall

- Bad pkts

- Rate limit

- DoS attck

- ACL drop

- Conn limit

- ICMP attk

- Scanning

- SYN attck

- Inspect

- Interface

(A citation of a particular interface object might take a number of forms. For example, you might see "80/HTTP" that would signify port 80, with well-known protocol HTTP.)

•rate_ID—The configured rate that is being exceeded. Most objects can be configured with up to three different rates for different intervals.

•rate_val—A particular rate value.

•total_cnt—The total count since the object was created or cleared.

The following three examples show how these variables occur:

For an interface drop due to a CPU or bus limitation:

"%ASA-4-733100: [Interface] drop rate 1 exceeded. Current burst rate is 1 per second, max configured rate is 8000; Current average rate is 2030 per second, max configured rate is 2000; Cumulative total count is 3930654."

For a scanning drop due to potential attacks:

"ASA-4-733100: [Scanning] drop rate-1 exceeded. Current burst rate is 10 per second_max configured rate is 10; Current average rate is 245 per second_max configured rate is 5; Cumulative total count is 147409 (35 instances received)

For bad packets due to potential attacks:

"%ASA-4-733100: [Bad pkts] drop rate 1 exceeded. Current burst rate is 0 per second, max configured rate is 400; Current average rate is 760 per second, max configured rate is 100; Cumulative total count is 1938933"

Recommended Action    Perform the following steps according to the specified object type that appears in the message:

1. If the object in the syslog message is one of the following:

–Firewall

–Bad pkts

–Rate limit

–DoS attck

–ACL drop

–Conn limit

–ICMP attck

–Scanning

–SYN attck

–Inspect

–Interface

Check whether the drop rate is acceptable for the running environment.

2. Adjust the threshold rate of the particular drop to an appropriate value by running the threat-detection rate xxx command, where xxx is one of the following:

–acl-drop

–bad-packet-drop

–conn-limit-drop

–dos-drop

–fw-drop

–icmp-drop

–inspect-drop

–interface-drop

–scanning-threat

–syn-attack

3. If the object in the syslog message is a TCP or UDP port, an IP protocol, or a host drop, check whether the drop rate is acceptable for the running environment.

4. Adjust the threshold rate of the particular drop to an appropriate value by running the threat-detection rate bad-packet-drop command.

Note: If you do not want the drop rate exceed warning to appear, you can disable it by running the no threat-detection basic-threat command.

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html


HTH

Ashu

Panagiotis T Ka... Mon, 05/03/2010 - 13:46

The error is indeed due to threat-detection (introduced in ASA 8.0). It alerts you for some weird traffic burst.

But unless you have explicitly configured it, it does not drop anything.

I hope it helps.

PK

mikedelafield Mon, 05/03/2010 - 13:47

So am i right in assuming that no action is actually being taken, it is simply reporting that some kind of drop rate statistic limit has been reached?

thompsondj Fri, 08/21/2015 - 14:42

Mike,

  If you read my post above I noticed the same problem, but after researching the affects on the IPS.  Since the IPS-20 in connected as a "daughter card" on the main ASA I think it sees the affects of the issue.

 

  I think it is affecting the ASA, resets until the threshold is reached again and continues to reset...  My opinion, but if someone else has more experience please let us both know.

thompsondj Fri, 08/21/2015 - 14:45

My action is to shut off the connection attempts from the new servers from trying to access some outside source.

  The way I figured this out is when I noticed the logs from our firewall ASA dropping connection attempts 4-12 times a second I tried to find out what was causing it.

thompsondj Fri, 08/21/2015 - 14:38

  Would this issue affect an IPS-20 module that is active in the ASA "5510"?  I was trying to figure out why our IPS, or more specifically the Cisco IPS Manager Express "IME" "Memory & Load" gadget was acting funny on the IME dashboard.

  The green Memory and Disk Usage percentage bars would go blank for about a minute.

 

  Originally I started looking at the IPS only then I thought I would time my review of the ASA logs to see if anything occurred at the same time.  I've now seen this alert three times while writing this post and keeping an eye on the ASA and IPS.

  So it looks like  the answer to my question is yes it probably is associated to the same events.

 

  To give everyone an idea on what is causing our issue, it's a flood of "denied tcp" attempts on ports 135, 139 and 445 that are hitting the ASA about 4-7 times a second.

 

  I was going to open a post for the IPS, but finding this discussion answered my questions.  I just need to have the System Admin's to shut down those connection requests.

  To provide more detail the servers were built in a lab and have a function we didn't order for automatic updates.  Once the server was built out I assume they plugged in our specific requirements and left the requests for updates still turned on.

 

 

Thank you Ashu and the others for your comments.

dtochilovsky Mon, 05/03/2010 - 13:45

I think you are seeing a built in threat protection of the ASA that shows up in logs. Looks like your firewall is hit with a lot of scan traffic (nmap oor other port scanning tool).

Look at the following link for the explanation of the message you are seeing in the logs: http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml#sol6

"Scanning attack detected (This option monitors scanning attacks; for example, the first TCP packet is not a SYN packet, or the TCP connection failed the 3-way handshake."

HTH.

Dmitry.

Panagiotis T Ka... Mon, 05/03/2010 - 14:02

Yes, it is a threshold that you exceeded.

But threat detection will not drop unless you tell it to. The default behavior is to just alert (generate syslog).

PK

mikedelafield Wed, 05/19/2010 - 02:20

Thats great thanks, although i still don't completely understand

The messages say Drop Rate Exceeded and I presume this relates to drops on ACLs

and yet i am hardly seeing any actually Denys coming through on the syslog

Should this not correlate in some way?

Or do the drops relate to some other form of "Drop"?

Actual message;

[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 17 per second, max configured rate is 5; Cumulative total count

Panagiotis T Ka... Wed, 05/19/2010 - 05:53

It does not refer to ACL drops.

The threat detection feature has some internal thresholds for traffic and when you exceed them it will throw a log. The thresholds are here http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html

Your syslogs "[ Scanning] drop rate-1 exceeded." mean the you have exceeded the "Scanning attack detected" threshold.

I hope it is clear.

PK

Actions

This Discussion