07-20-2010 06:03 PM - edited 03-11-2019 11:14 AM
I got complained from my ISP that our system is being used for conducting scanning/hacking NT known
exploits, port scanning and/or spidering of another network and the ip they mentioned is our asa5510 ip.
This is what they told us to do Please investigate a TCP sweep of port 80 from the..pls help how can i fix this....thanks...
07-20-2010 08:55 PM
Hello,
You have couple of ways to control the threats. One is enabling threat detection on the firewall (if it is running 8.0 and beyond). Threat detection is pretty effective in catching and shunning hosts that generate scanning attacks. But, depending upon the threshold you have set, sometimes it is possible that some hosts escape through the system. Another way is to restrict access on the firewall i.e. on the inside interface configure access-lists such that only specific type of traffic goes through the firewall. For example, you can allow HTTP, HTTPS, and SMTP ports blocking all other traffic on the inside. This will ensure that no device is allowed to launch an attack behind the firewall.
Hope this helps.
Regards,
NT
07-20-2010 10:03 PM
ok, thank for the time and reply, so i have enabled scaning threat detection on firewall. Also is their anyway to check which computer was used for attack on the network and or can we able to monitor port 80 so this doesn't happen in the future. thanks.
07-20-2010 10:09 PM
Hello,
You can issue commands like "show threat-detection scanning-threat attacker"
and see if any of your internal hosts get listed in the output.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/prote
ct.html#wp1067305
Hope this helps.
Regards,
NT
07-20-2010 10:24 PM
also you can try the following
show local-host | include host|count/limit
this will give you a fair idea as to who the attacker is, if you see too mant conn from a server it makes ense, but if you see too many conn from a host/pc then you know something is fishy
07-21-2010 04:22 AM
Thanks again for the help...following is info...
show threat-detection scanning-threat attacker...didn't gave me anything.
Following didn't give me any crazy count.
show local-host | include host|count/limit
# show local-host | include host|count/limit
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 1
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 1
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <10.10.x.x>,
TCP embryonic count to host = 0
local host: <69.x.x.x>,
TCP embryonic count to host = 0
local host: <38.x.x.x>,
TCP embryonic count to host = 0
local host: <68.x.x.x>,
TCP embryonic count to host = 0
local host: <98.x.x.x>,
TCP embryonic count to host = 0
local host: <72.x.x.x>,
TCP embryonic count to host = 0
local host: <207.x.x.x>,
TCP embryonic count to host = 0
local host: <173.x.x.x>,
TCP embryonic count to host = 0
local host: <208.x.x.x>,
TCP embryonic count to host = 0
local host: <192.x.x.x>,
TCP embryonic count to host = 0
local host: <72.x.x.x>,
TCP embryonic count to host = 0
local host: <68.x.x.x>,
TCP embryonic count to host = 0
local host: <205.x.x.x>,
TCP embryonic count to host = 0
local host: <192.x.x.x>,
TCP embryonic count to host = 0
local host: <207.x.x.x>,
TCP embryonic count to host = 0
local host: <74.x.x.x>,
TCP embryonic count to host = 0
local host: <208.x.x.x>,
TCP embryonic count to host = 0
local host: <64.x.x.x>,
TCP embryonic count to host = 0
local host: <166.x.x.x>,
TCP embryonic count to host = 0
local host: <174.x.x.x>,
TCP embryonic count to host = 0
local host: <64.x.x.x>,
TCP embryonic count to host = 0
local host: <208.x.x.x>,
TCP embryonic count to host = 0
local host: <38.x.x.x>,
TCP embryonic count to host = 0
If you are seeing something that i don't pls let me know, any other suggestion...
07-21-2010 05:40 AM
i have 2 questions
have you configured scanning threat detection with shun
is your isp still reporting scanning attacks
07-21-2010 06:27 AM
Hello,
You will see those counters only during the attack period. Scanning attack refers to opening many half connections i.e. just send SYN not expecting SYN-ACK packets. So, depending upon the firewalls timer values, the half-closed connections can be closed by the firewall within 5 minutes of them being open/idle. So, if you need to check the number of connections per host, you need to check it when the attack is happening.
Hope this helps.
Regards,
NT
07-21-2010 11:47 AM
So far didn't recive anymore emails from ISP. Have configured with Scanning threat but didn't do it with Shun because then i have to put each address that i want to allow. Again thanks for all the help...Anymore tips to help that this doesn't happen again in the future.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide