Asa5505 doesn't shun hosts at scanning-threat

Unanswered Question
Feb 5th, 2010
User Badges:

Hi all,



I've been experimenting with threat-detection/scanning threat the last couple of days.


When i use nmap in one of his most aggressive ways to scan ports, the asa does recognize it as a scanning-threat, but does absolutely nothing to stop it by shunning the attacker.


Changing the average/burst-rate to a lower value (up to 0 ) had no effect.



log:



[...]
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51578 to outside:84.104.x.x/38
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51579 to outside:84.104.x.x/1479
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51580 to outside:84.104.x.x/27000
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51581 to outside:84.104.x.x/802
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51583 to outside:84.104.x.x/329
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51582 to outside:84.104.x.x/96
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51586 to outside:84.104.x.x/802
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51584 to outside:84.104.x.x/329
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51587 to outside:84.104.x.x/27000
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51585 to outside:84.104.x.x/96
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51588 to outside:84.104.x.x/586
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51589 to outside:84.104.x.x/1381
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51591 to outside:84.104.x.x/244
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51590 to outside:84.104.x.x/1359


Feb 05 2010 14:51:59: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 18 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 4045


Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51592 to outside:84.104.x.x/586
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51594 to outside:84.104.x.x/1381
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51593 to outside:84.104.x.x/1359
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51595 to outside:84.104.x.x/244
Feb 05 2010 14:52:00: %ASA-7-710005: TCP request discarded from 213.x.x.x/51596 to outside:84.104.x.x/817
Feb 05 2010 14:52:00: %ASA-7-710005: TCP request discarded from 213.x.x.x/51597 to outside:84.104.x.x/1441


[...]



vandermade-asa# sh threat-detection scanning-threat
Latest Target Host & Subnet List:
Latest Attacker Host & Subnet List:



vandermade-asa# sh run threat-detection
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200



System image file is "disk0:/asa822-k8.bin"
Hardware:   ASA5505, 256 MB RAM, CPU Geode 500 MHz



So my question is, why isn't de host portscanning my network shunned even if it's recognized as scanning-threat ?



Tnx in advance!



Kind regards Niels.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sat, 02/20/2010 - 13:02
User Badges:
  • Green, 3000 points or more

Hi,


Sorry, this is not an answer, just want to say that I've seen the same problem. Can't get the threat-detection to shun the IP.


Anyone, got this working?


Federico.

Actions

This Discussion

Related Content