cisco asa5510 port 80

Unanswered Question
Jul 20th, 2010

I got complained from my ISP that our system is being used for conducting scanning/hacking NT known
exploits, port scanning and/or spidering of another network and the ip they mentioned is our asa5510 ip.

This is what they told us to do Please investigate a TCP sweep of port 80 from the..pls help how can i fix this....thanks...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Tue, 07/20/2010 - 20:55

Hello,

You have couple of ways to control the threats. One is enabling threat detection on the firewall (if it is running 8.0 and beyond). Threat detection is pretty effective in catching and shunning hosts that generate scanning attacks. But, depending upon the threshold you have set, sometimes it is possible that some hosts escape through the system. Another way is to restrict access on the firewall i.e. on the inside interface configure access-lists such that only specific type of traffic goes through the firewall. For example, you can allow HTTP, HTTPS, and SMTP ports blocking all other traffic on the inside. This will ensure that no device is allowed to launch an attack behind the firewall.

Hope this helps.

Regards,

NT

lawsuites Tue, 07/20/2010 - 22:03

ok, thank for the time and reply, so i have enabled scaning threat detection on firewall.  Also is their anyway to check which computer was used for attack on the network and or can we able to monitor port 80 so this doesn't happen in the future. thanks.

Jitendriya Athavale Tue, 07/20/2010 - 22:24

also you can try the following

show local-host | include host|count/limit 

this will give you a fair idea as to who the attacker is, if you see too mant conn from a server it makes ense, but if you see too many conn from a host/pc then you know something is fishy

lawsuites Wed, 07/21/2010 - 04:22

Thanks again for the help...following is info...

show threat-detection scanning-threat attacker...didn't gave me anything.

Following didn't give me any crazy count.

show local-host | include host|count/limit  

# show local-host | include host|count/limit
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 1
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 1
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <69.x.x.x>,
    TCP embryonic count to host = 0
local host: <38.x.x.x>,
    TCP embryonic count to host = 0
local host: <68.x.x.x>,
    TCP embryonic count to host = 0
local host: <98.x.x.x>,
    TCP embryonic count to host = 0
local host: <72.x.x.x>,
    TCP embryonic count to host = 0
local host: <207.x.x.x>,
    TCP embryonic count to host = 0
local host: <173.x.x.x>,
    TCP embryonic count to host = 0
local host: <208.x.x.x>,
    TCP embryonic count to host = 0
local host: <192.x.x.x>,
    TCP embryonic count to host = 0
local host: <72.x.x.x>,
    TCP embryonic count to host = 0
local host: <68.x.x.x>,
    TCP embryonic count to host = 0
local host: <205.x.x.x>,
    TCP embryonic count to host = 0
local host: <192.x.x.x>,
    TCP embryonic count to host = 0
local host: <207.x.x.x>,
    TCP embryonic count to host = 0
local host: <74.x.x.x>,
    TCP embryonic count to host = 0
local host: <208.x.x.x>,
    TCP embryonic count to host = 0
local host: <64.x.x.x>,
    TCP embryonic count to host = 0
local host: <166.x.x.x>,
    TCP embryonic count to host = 0
local host: <174.x.x.x>,
    TCP embryonic count to host = 0
local host: <64.x.x.x>,
    TCP embryonic count to host = 0
local host: <208.x.x.x>,
    TCP embryonic count to host = 0
local host: <38.x.x.x>,
    TCP embryonic count to host = 0

If you are seeing something that i don't pls let me know, any other suggestion...


Jitendriya Athavale Wed, 07/21/2010 - 05:40

i have 2 questions

have you configured scanning threat detection with shun

is your isp still reporting scanning attacks

Nagaraja Thanthry Wed, 07/21/2010 - 06:27

Hello,

You will see those counters only during the attack period. Scanning attack refers to opening many half connections i.e. just send SYN not expecting SYN-ACK packets. So, depending upon the firewalls timer values, the half-closed connections can be closed by the firewall within 5 minutes of them being open/idle. So, if you need to check the number of connections per host, you need to check it when the attack is happening.

Hope this helps.

Regards,

NT

lawsuites Wed, 07/21/2010 - 11:47

So far didn't recive anymore emails from ISP.  Have configured with Scanning threat but didn't do it with Shun because then i have to put each address that i want to allow. Again thanks for all the help...Anymore tips to help that this doesn't happen again in the future.

Actions

This Discussion