Ask the Expert: Mitigating Network Attacks

Unanswered Question
Jun 1st, 2012

Read the bioWith Kureli Sankar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco expert Kureli Sankar how to identify and mitigate network attacks.

Kureli Sankar is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software. Prior to joining Cisco, Sankar worked for the John Morrell Co., where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate level networking courses. Sankar holds an engineering degree in electrical and electronic engineering from Regional Engineering College, Trichirappalli, India, and holds CCSP and CCIE Security #35505 certifications.

Remember to use the rating system to let Kureli know if you have received an adequate response. 

Kureli might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through June 15, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (4 ratings)
mikull.kiznozki Sat, 06/02/2012 - 05:38

apart from using the SSM, is there any other way I could prevent nmaps on my asa wan interface??

Poonguzhali Sankar Sun, 06/03/2012 - 08:03

Hello Mikull,

If you are asking about the IPS module, the packet may not even reach the module, depending on the other checks it has to go through.

Unless you have other devices in the perimeter to detect these sort of attacks, the ASA will simply drop these packets when they arrive.

-Kureli

Omar Santos Sun, 06/03/2012 - 20:04

Kureli did an excellent job summarizing this. I would like to add some notes/thoughts. There are several ways that you can protect against scanners on the Cisco ASA (this includes protection against nmap scan and others). Some types of active scans depend on logical network location and will not work though a firewall / IPS depending on your configuration. First you can protect against spoofed scans by usint the Unicast Reverse Path Forwarding (uRPF) feature on the outside interface. Unicast RPF protects against IP spoofing by making sure that all packets have a source IP address that matches the correct source interface according to the routing table.

You can also configure the Scanning Threat Detection on the Cisco ASA. The following link includes information on how to protect against scanning attacks using Thread Detection:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/protect_threat.html#wp1072953

In some cases with network scanners, the first TCP packet may not even be a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection takes this into consideration and acts on it by classifying hosts as attackers and automatically shunning them. In most cases, scanners create incomplete sessions and as such they sometimes are already blocked by TCP SYN attack protection and enbryonic protection limits. Now, one thing to highlight is that vulnerability scanning traffic can stress network equipment and may flood links. In some cases, you should block this traffic upstream to even avoid this traffic to enter your network link. There are several service providers that provide this protection to their customers by using the Clean Pipes solution. Clean Pipes allows service providers to offer pervasive DDoS mitigation services on a subscription basis or on-demand. These services provide customers with DDoS protection within the provider cloud, preserving network bandwidth and ensuring the availability of applications and services. Arbor has some information on how the Cisco/Arbor Clean Pipes 2.0 solution works:

http://www.arbornetworks.com/clean-pipes-2-0-a-complete-ddos-defense-solution.html

Poonguzhali Sankar Mon, 06/04/2012 - 04:56

Thanks Omar.

Mikull,

Pls. keep this link handy.  Has the details that Omar mentioned above. I thought I included the link in my response but, missed it.

How to identify and mitigate network attacks.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

As far as what Omar is talking about which is to block the attack traffic from even entering your network, you got to read this very very very interesting white paper on RTBH (Remotely Triggered Black Hole).  The explains the setup that major ISP have already in place. All you need to do is to provide them with the source IP address or destination IP address and they will route that traffic to NULL thus black holing

http://www.cisco.com/web/about/security/intelligence/blackhole.pdf

-Kureli

mikull.kiznozki Fri, 06/08/2012 - 19:25

Thanks heaps both! I just need to fine tune my threat detection configs on my asa.

That whitepaper is a scorcher!!

time to null0 all those unwanted chinese and taiwanese traffic! lol

john.ventura73 Fri, 06/08/2012 - 10:01

Hello Kureli,

I have a quick question for you. What is the easiest way to identify a DoS attack and the best way to restore and prevent these type of attacks on a wireless network?

thanks a lot,

- John

Poonguzhali Sankar Sun, 06/10/2012 - 09:02

Well, it depends on the attack.  Most of them spike the CPU of the box and the unit will start dropping packets. You will notice heavy bandwidth unitlization is this is an internet facing device.

1. If you have NetFlow enabled it might be able to show you the spike in traffic and the sources that are responsible for this.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html

2. Source track is another method:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ipst.html#wp1015331

3. Use categorization acl to see what kind of traffic is overwhelming the device and from where:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.shtml

Follow RFC 2827:

1. Only allow traffic sourced from your network address space to leave the outside interface.

2. Do not allow your network address space from sourcing a packet from the outside.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

You need to try to do everything possible so, the firewall will not see this attack traffic.  Block it at the upstream L-3 device or reach out to the ISP and have them block the traffic at their end.

Read the links that we have included in the previous responses as well.  All of them are worth book marking.

For wireless as well as wired networks, most of the companies and schools do, some sort of content filtering to stop them from getting infected.

-Kureli

pemasirid Sun, 06/10/2012 - 14:23

Hi Kureli,

How to we detect and stop any network scan activities (using nmap or any other tools) automatically using cisco IPS and firewalls.(or any other security devices)?

Are there any default signatures what detect those types of scans or do we need to configure some custom signatures to detect such activties..

thanks in advance.

Poonguzhali Sankar Tue, 06/12/2012 - 13:40

Pemasirid,

Like Omar mentioned above you could use TD (Threat Detection) on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/protect_threat.html#wp1096812

On the IPS, as you can see here:

http://tools.cisco.com/security/center/search.x?currentPage=&itemsPerPage=15&toggle=2&search=Signature&keyWords=nmap&selectedCriteria=O&date1=&date2=&severity=1+-+5&urgency=1+-+5&sigDate1=&sigDate2=&alarmSeverity=All&release=

3002/0TCP SYN Port SweepMarch 07, 2012LowS630
5725/0Novell NMAP Agent Buffer OverflowFebruary 09, 2012HighS624
4062/0Cisco CSS 11000 Malformed UDP DoSAugust 26, 2011MediumS591
4001/0UDP Port SweepJune 13, 2011HighS573
4003/0Nmap UDP Port SweepAugust 06, 2009HighS423
3003/0TCP Frag SYN Port SweepMarch 26, 2009HighS388
3046/0NMAP OS FingerprintMay 01, 2001MediumS3

3002, 4001, 4003, 3003 and 3046 are the ones that you would want to enable.

-Kureli

pemasirid Wed, 06/13/2012 - 01:30

Hi Kureli,

Thanks a lot for your response on my post, this will be really in handy.

In fact we were asked by one of our clients that they did network scan but they failed to find that activity on their security devices.

Regards,

Pemasiri

JohnPete868 Wed, 06/13/2012 - 14:15

Hi was wondering if there were any syslogs messages for DOS attacks?

Poonguzhali Sankar Thu, 06/14/2012 - 19:51

Every packet that the ASA sees will be logged. It depends on what level of logging is configured and what feature logging you expect and what kind of attack it is.

Here is the syslog guide link:

http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logsevp.html#wp1009233

Here is the Thread Detection Feature link:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html

Look for "syslog" in that above link.

If the packets are dropped due to asp drop then you can see them when you issue "sh asp drop" after a "clear asp drop"

Here is command reference for that:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s2.html#wp1471978

-Kureli

siddhartham Wed, 06/13/2012 - 11:14

Hello Kureli,

I have few questions about ASA threat detection and DOS attack prevention.

1.Can we use class-maps or route-maps on the ASA to dynamically learn an IP adress that sends more than certain number of HTTP requests/sec and block that IP for certain time period?

2.We have basic threat detection enabled on our ASA and getting a lot of SCAN threshold exceeded alerts, is it possible to find out which hosts are exceeding the thresholds without shunning them?--TAC said only way to find out the hosts is to shun them, then only they will show up in ASA.

<164>Jun 13 2012 13:09:05: %ASA-4-733100: [ Scanning] drop rate-1  exceeded. Current burst rate is 12 per second, max configured rate is  10; Current average rate is 15 per second, max configured rate is 5;  Cumulative total count is 9083

Poonguzhali Sankar Thu, 06/14/2012 - 20:03

Hello Siddhartham,

1. What you can do is say for example you have a webserver behind the ASA, you can configure acl/class-map and set connection

per-client-max and

per-client-embryonic-max

for that particular class.  What you are asking is possible with the IDS device.  With the ASA you can limit as to how many connections each host can establish with a server that the ASA is protecting.

Refer this link:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s1.html#wp1447178

2. Check this command out will show you about the scanning host:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s7.html#wp1330552

The following is sample output from the show threat-detection scanning-threat command:

hostname# show threat-detection scanning-threat

Latest Target Host & Subnet List:

    192.168.1.0

    192.168.1.249

   Latest Attacker Host & Subnet List:

    192.168.10.234

    192.168.10.0

    192.168.10.2

    192.168.10.3

    192.168.10.4

    192.168.10.5

    192.168.10.6

    192.168.10.7

    192.168.10.8

    192.168.10.9

-Kureli

emilio1973 Fri, 06/15/2012 - 01:13

Hi Kureli,

on my ASA, I can see this output:

ASA5520# sh threat-detection rate scanning-threat
                          Average(eps)    Current(eps) Trigger      Total events
  10-min  Scanning:                  1               3      90               964
  1-hour  Scanning:                  1               1      21              5303

but with this, I can't see anything:

ASA5520# sh threat-detection scanning-threat target
Latest Target Host & Subnet List:
ASA5520#

ASA5520# sh threat-detection scanning-threat attacker
Latest Attacker Host & Subnet List:

How I can see the address of attackers?

Thanks

siddhartham Fri, 06/15/2012 - 06:31

Its the same thing for my case also, I don't see anything with sh threat-detection scanning-threat attacker command but we are getting around 10 syslog messages every min saying the thresholds are exceeded

ASA/pri/act# sh threat-detection rate scanning-threat

                          Average(eps)    Current(eps) Trigger      Total events

  10-min  Scanning:                  3               3   22170              2323

  1-hour  Scanning:                  3               4    5362             12814

ASA/pri/act# sh threat-detection scanning-threat attacker

ASA/pri/act#

Poonguzhali Sankar Fri, 06/15/2012 - 10:43

The command is "show threat-detection scanning-threat"

not "show threat-detection rate scanning-threat"


You can also try the following:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html

hostname# show threat-detection statistics host


                          Average(eps)    Current(eps) Trigger         Total events

Host:10.0.0.1: tot-ses:289235 act-ses:22571 fw-drop:0 insp-drop:0 null-ses:21438 bad-acc:0

  1-hour Sent byte:               2938               0       0             10580308

hour Sent byte:                367               0       0             10580308

 24-hour Sent byte:                122          0       0      10580308

-Kureli

siddhartham Fri, 06/15/2012 - 10:49

Yes I tried "show threat-detection scanning-threat" but it didn't produce any output

ASA/pri/act# show threat-detection scanning-threat

ASA/pri/act#

Poonguzhali Sankar Fri, 06/15/2012 - 11:09

Siddhartham,

Today is the last day of this ATE event.  I am not sure if I can get to the bottom of this. Would you mind opening a TAC case so, we can take a look at it. Feel free to mention my name on the case.

Pls. copy and paste the "sh run threat" output from the ASA.

May be there aren't any scanning threats at the moment.  If the rate exceeded syslog is seen then, you probably have to tweek the settings and increase

Issue "show run all threat-detection".
The number of triggers of different thresholds can be checked in "show
threat-detection rate".

Syslog 733100 is related to scanning-rate, adjusting this parameter should be
able to resolve too many messages showing up in the syslogs.

In this case, tuning the command "threat-detection rate scanning-rate 3600
average-rate 15" stopped too many of these messages being logged. In other
cases one may have to increase the scanning-rate and average-rate to a higher
value.

-Kureli

mohamednselim Mon, 06/18/2012 - 04:05

Dear Kureli Sankar,

i have a problem, i dont know if that could be an attack or a real problem i need to make something on the fwsm im not sure.

all my user vlans are on the core it self , but the servers vlans are on the fwsm, when 2 servers are in the same vlan they can work perfectly , but there is a delay and sometimes packet drops when a server on vlan try to communicate with other server in other vlan,

my access lists is permit ip any any so all the tracffic sould pass normally between them ,

for example when im on a server in vlan 100 and remote desktop on other server in the same vlan it took less than a sec and im  on the other server.

but when a server on vlan 100 remote desktop on server on vlan 99 it may took up tp 30 sec or so to connect and also when the 2 servers in differ vlans try to gett data from eachother sometimes it took time sometimes it gives error as it cant be reached and will try to connect again.

pinging is working fine no problem.

fwsm is router not trasparent.

Servers are microsoft mail server and domain controller server.

If i make it transparent will it solve this problem ?

and if i issue the command firewall transparent should i need a downtime , or everything will work normally ??

Im not good with Security so help and if you need any more info let me know.

Thanks.

Poonguzhali Sankar Mon, 06/18/2012 - 13:31

Mohamed,

Not sure if transparent mode is going to resolve the issue. You still need the same Route and Permission along with optional translation for any flow to work.

We need to look at captures working in the same vlan and delay when separated by the firewall and determin what might be causing the problem.

In the past, with windows file copy and drive mapping issues, we have run into the following:

The problem is that Windows will not allow multiple smb connections on port 445. Subsequent connections will cause the existing connection to be reset.

This behavior is described by Microsoft Article KB301673.

http://support.microsoft.com/kb/301673

Two solutions:

1) Modify the registry on the server per KB301673 to use only port 139 and reboot the server.

2) Block port 445 by ACL on the firewall so that it will be forced to default back to 139.

Give this a shot and let me know if this resolves the issue. Otherwise please open a TAC case as we need to grab captures and analyze them.

-Kureli

mohamednselim Mon, 06/18/2012 - 14:13

Dear Kureli Sankar,

The fix is only available for Microsoft Server 2008, mine is 2010 it didnt work with it.

im out of ideas i eve make the access-list all open ip,tcp,upd any any for all vlans as a test for now so i can check if there is any thing will drop or not , and all the security interfaces are the same and i have same security permit intra and inter for the vlan interfaces

the core is fine , i just dont know what to do any more, do you think it could be Microsoft Problem not Cisco side ?

here is my Thread link you can contiue trobleshooting with me in the thread if this Thread will be closed.

https://supportforums.cisco.com/thread/2154093

Thanks and Bests Regards

Mohamed Selim.

philips_006 Thu, 12/13/2012 - 09:28

I have a small doubt about telnet, am not sure if this is the right forum to post this query.

I wanted to know if we can use telnet on a non standard port, lets say 6189. I wanted to configure this on a cisco router. May I know the commands to do this

I have used PAT and port-map to do this.

Is there any other way to achieve this?

Plz help. Thanks in advance.......

rimifrank Tue, 04/23/2013 - 03:32

Dear Kureli,

I wish to integrate to Microsoft Windows 2008 AD. Apparently i am having trouble achieving this due to the error below;

ECSIntFw01# test aaa-server authentication AD1 username fraxxx password$ xxxx

Server IP Address or name: 10.3.1.10

INFO: Attempting Authentication test to IP address <10.3.1.10> (timeout: 12 seconds)

ERROR: Authentication Server not responding: AAA Server has been removed

My aim is in setting up Identity Options that would either help to allow/restrict permission based on users and/or groups that exist in the Active Directory Domain.

Kindly assist.

Frank

Actions

Login or Register to take actions

This Discussion

Posted June 1, 2012 at 9:24 AM
Stats:
Replies:25 Avg. Rating:5
Views:9020 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446