cisco asa5510 port 80

lawsuites · ‎07-20-2010

I got complained from my ISP that our system is being used for conducting scanning/hacking NT known
exploits, port scanning and/or spidering of another network and the ip they mentioned is our asa5510 ip.

This is what they told us to do Please investigate a TCP sweep of port 80 from the..pls help how can i fix this....thanks...

Nagaraja Thanthry · ‎07-20-2010

Hello,

You have couple of ways to control the threats. One is enabling threat detection on the firewall (if it is running 8.0 and beyond). Threat detection is pretty effective in catching and shunning hosts that generate scanning attacks. But, depending upon the threshold you have set, sometimes it is possible that some hosts escape through the system. Another way is to restrict access on the firewall i.e. on the inside interface configure access-lists such that only specific type of traffic goes through the firewall. For example, you can allow HTTP, HTTPS, and SMTP ports blocking all other traffic on the inside. This will ensure that no device is allowed to launch an attack behind the firewall.

Hope this helps.

Regards,

NT

lawsuites · ‎07-20-2010

ok, thank for the time and reply, so i have enabled scaning threat detection on firewall. Also is their anyway to check which computer was used for attack on the network and or can we able to monitor port 80 so this doesn't happen in the future. thanks.

Nagaraja Thanthry · ‎07-20-2010

Hello,

You can issue commands like "show threat-detection scanning-threat attacker"

and see if any of your internal hosts get listed in the output.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/prote

ct.html#wp1067305

Hope this helps.

Regards,

NT

Jitendriya Athavale · ‎07-20-2010

also you can try the following

show local-host | include host|count/limit

this will give you a fair idea as to who the attacker is, if you see too mant conn from a server it makes ense, but if you see too many conn from a host/pc then you know something is fishy

lawsuites · ‎07-21-2010

Thanks again for the help...following is info...

show threat-detection scanning-threat attacker...didn't gave me anything.

Following didn't give me any crazy count.

show local-host | include host|count/limit

# show local-host | include host|count/limit
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 1
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 1
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <10.10.x.x>,
    TCP embryonic count to host = 0
local host: <69.x.x.x>,
    TCP embryonic count to host = 0
local host: <38.x.x.x>,
    TCP embryonic count to host = 0
local host: <68.x.x.x>,
    TCP embryonic count to host = 0
local host: <98.x.x.x>,
    TCP embryonic count to host = 0
local host: <72.x.x.x>,
    TCP embryonic count to host = 0
local host: <207.x.x.x>,
    TCP embryonic count to host = 0
local host: <173.x.x.x>,
    TCP embryonic count to host = 0
local host: <208.x.x.x>,
    TCP embryonic count to host = 0
local host: <192.x.x.x>,
    TCP embryonic count to host = 0
local host: <72.x.x.x>,
    TCP embryonic count to host = 0
local host: <68.x.x.x>,
    TCP embryonic count to host = 0
local host: <205.x.x.x>,
    TCP embryonic count to host = 0
local host: <192.x.x.x>,
    TCP embryonic count to host = 0
local host: <207.x.x.x>,
    TCP embryonic count to host = 0
local host: <74.x.x.x>,
    TCP embryonic count to host = 0
local host: <208.x.x.x>,
    TCP embryonic count to host = 0
local host: <64.x.x.x>,
    TCP embryonic count to host = 0
local host: <166.x.x.x>,
    TCP embryonic count to host = 0
local host: <174.x.x.x>,
    TCP embryonic count to host = 0
local host: <64.x.x.x>,
    TCP embryonic count to host = 0
local host: <208.x.x.x>,
    TCP embryonic count to host = 0
local host: <38.x.x.x>,
    TCP embryonic count to host = 0

If you are seeing something that i don't pls let me know, any other suggestion...

Jitendriya Athavale · ‎07-21-2010

i have 2 questions

have you configured scanning threat detection with shun

is your isp still reporting scanning attacks

Nagaraja Thanthry · ‎07-21-2010

Hello,

You will see those counters only during the attack period. Scanning attack refers to opening many half connections i.e. just send SYN not expecting SYN-ACK packets. So, depending upon the firewalls timer values, the half-closed connections can be closed by the firewall within 5 minutes of them being open/idle. So, if you need to check the number of connections per host, you need to check it when the attack is happening.

Hope this helps.

Regards,

NT

lawsuites · ‎07-21-2010

So far didn't recive anymore emails from ISP. Have configured with Scanning threat but didn't do it with Shun because then i have to put each address that i want to allow. Again thanks for all the help...Anymore tips to help that this doesn't happen again in the future.