Protected servers under syn attack!!

Answered Question
Feb 5th, 2011

The firewall dashboard has a window at the right lower portion of ASDM and it displays Top 10 protected servers under SYN attack.  Refer to the attached picture.

In this scenario the server IP 82.214.154.223 seems to be getting SYN attacks from one of my internal network PC. This server 82.214.154.223 does not belong to us, a whois query tells me that the IP originates from Poland with no hostname address.

I should have been seeing attacks only for servers belonging to my network right? Like an attack from Outside public IP towards my Server public IP, or is it that this feature provides two way statistics where it also displays attack originating from my lan towards outside world. From what I see, I feel it displays two way attacks. Correct me if I am wrong.

Regards

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 3 years 2 months ago

Yes, it is protecting both directions of the traffic passing through the ASA, inbound and outbound by default.

It looks like your internal host is attacking the 82.214.154.223 host, or it might be some software that is trying to reach 82.214.154.223, however, this host is not responding. Might be peer to peer file sharing or other similar sort of application.

There are different types and features of threat detection, and here is more information for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
Jennifer Halim Sun, 02/06/2011 - 02:33

Yes, it is protecting both directions of the traffic passing through the ASA, inbound and outbound by default.

It looks like your internal host is attacking the 82.214.154.223 host, or it might be some software that is trying to reach 82.214.154.223, however, this host is not responding. Might be peer to peer file sharing or other similar sort of application.

There are different types and features of threat detection, and here is more information for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html

Hope that helps.

aamircisco Mon, 06/03/2013 - 04:58

Hi,

below is the output of the # sh threat-detection rate command. can anyone explain me the vulnerabilities and risks by looking at the figures below. thanks

                          Average(eps)    Current(eps) Trigger      Total events

  10-min ACL  drop:                  1               0       0               672

  1-hour ACL  drop:                  1               0       0              4654

  10-min SYN attck:                  0               0       0               386

  1-hour SYN attck:                  0               0       0              3428

  10-min  Scanning:                  2               1   55503              1248

  1-hour  Scanning:                  2               2   18455              9177

  10-min Bad  pkts:                  0               0       0               184

  1-hour Bad  pkts:                  0               0       0              1089

  10-min  Firewall:                  1               0       0               862

  1-hour  Firewall:                  1               1       0              5749

  10-min DoS attck:                  0               0       0                 6

  1-hour DoS attck:                  0               0       0                 6

  10-min Interface:                  1               0       0              1034

  1-hour Interface:                  1               1       0              6616

regards,

AAMIR

Actions

Login or Register to take actions

This Discussion

Posted February 5, 2011 at 11:43 PM
Stats:
Replies:2 Avg. Rating:5
Views:3441 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446