Asa5505 doesn't shun hosts at scanning-threat

Niels van der Made · ‎02-05-2010

Hi all,

I've been experimenting with threat-detection/scanning threat the last couple of days.

When i use nmap in one of his most aggressive ways to scan ports, the asa does recognize it as a scanning-threat, but does absolutely nothing to stop it by shunning the attacker.

Changing the average/burst-rate to a lower value (up to 0 ) had no effect.

log:

[...]
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51578 to outside:84.104.x.x/38
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51579 to outside:84.104.x.x/1479
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51580 to outside:84.104.x.x/27000
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51581 to outside:84.104.x.x/802
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51583 to outside:84.104.x.x/329
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51582 to outside:84.104.x.x/96
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51586 to outside:84.104.x.x/802
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51584 to outside:84.104.x.x/329
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51587 to outside:84.104.x.x/27000
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51585 to outside:84.104.x.x/96
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51588 to outside:84.104.x.x/586
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51589 to outside:84.104.x.x/1381
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51591 to outside:84.104.x.x/244
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51590 to outside:84.104.x.x/1359

Feb 05 2010 14:51:59: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 18 per second, max configured rate is 10; Current average rate is 6 per second, max configured rate is 5; Cumulative total count is 4045

Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51592 to outside:84.104.x.x/586
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51594 to outside:84.104.x.x/1381
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51593 to outside:84.104.x.x/1359
Feb 05 2010 14:51:59: %ASA-7-710005: TCP request discarded from 213.x.x.x/51595 to outside:84.104.x.x/244
Feb 05 2010 14:52:00: %ASA-7-710005: TCP request discarded from 213.x.x.x/51596 to outside:84.104.x.x/817
Feb 05 2010 14:52:00: %ASA-7-710005: TCP request discarded from 213.x.x.x/51597 to outside:84.104.x.x/1441

[...]

vandermade-asa# sh threat-detection scanning-threat
Latest Target Host & Subnet List:
Latest Attacker Host & Subnet List:

vandermade-asa# sh run threat-detection
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

System image file is "disk0:/asa822-k8.bin"
Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz

So my question is, why isn't de host portscanning my network shunned even if it's recognized as scanning-threat ?

Tnx in advance!

Kind regards Niels.

Federico Coto Fajardo · ‎02-20-2010

Hi,

Sorry, this is not an answer, just want to say that I've seen the same problem. Can't get the threat-detection to shun the IP.

Anyone, got this working?

Federico.