cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14292
Views
20
Helpful
25
Replies

Ask the Expert: Mitigating Network Attacks

ciscomoderator
Community Manager
Community Manager

Read the bioWith Kureli Sankar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco expert Kureli Sankar how to identify and mitigate network attacks.

Kureli Sankar is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software. Prior to joining Cisco, Sankar worked for the John Morrell Co., where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate level networking courses. Sankar holds an engineering degree in electrical and electronic engineering from Regional Engineering College, Trichirappalli, India, and holds CCSP and CCIE Security #35505 certifications.

Remember to use the rating system to let Kureli know if you have received an adequate response. 

Kureli might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through June 15, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

25 Replies 25

mikull.kiznozki
Level 1
Level 1

apart from using the SSM, is there any other way I could prevent nmaps on my asa wan interface??

Hello Mikull,

If you are asking about the IPS module, the packet may not even reach the module, depending on the other checks it has to go through.

Unless you have other devices in the perimeter to detect these sort of attacks, the ASA will simply drop these packets when they arrive.

-Kureli

Kureli did an excellent job summarizing this. I would like to add some notes/thoughts. There are several ways that you can protect against scanners on the Cisco ASA (this includes protection against nmap scan and others). Some types of active scans depend on logical network location and will not work though a firewall / IPS depending on your configuration. First you can protect against spoofed scans by usint the Unicast Reverse Path Forwarding (uRPF) feature on the outside interface. Unicast RPF protects against IP spoofing by making sure that all packets have a source IP address that matches the correct source interface according to the routing table.

You can also configure the Scanning Threat Detection on the Cisco ASA. The following link includes information on how to protect against scanning attacks using Thread Detection:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/protect_threat.html#wp1072953

In some cases with network scanners, the first TCP packet may not even be a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection takes this into consideration and acts on it by classifying hosts as attackers and automatically shunning them. In most cases, scanners create incomplete sessions and as such they sometimes are already blocked by TCP SYN attack protection and enbryonic protection limits. Now, one thing to highlight is that vulnerability scanning traffic can stress network equipment and may flood links. In some cases, you should block this traffic upstream to even avoid this traffic to enter your network link. There are several service providers that provide this protection to their customers by using the Clean Pipes solution. Clean Pipes allows service providers to offer pervasive DDoS mitigation services on a subscription basis or on-demand. These services provide customers with DDoS protection within the provider cloud, preserving network bandwidth and ensuring the availability of applications and services. Arbor has some information on how the Cisco/Arbor Clean Pipes 2.0 solution works:

http://www.arbornetworks.com/clean-pipes-2-0-a-complete-ddos-defense-solution.html

Thanks Omar.

Mikull,

Pls. keep this link handy.  Has the details that Omar mentioned above. I thought I included the link in my response but, missed it.

How to identify and mitigate network attacks.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

As far as what Omar is talking about which is to block the attack traffic from even entering your network, you got to read this very very very interesting white paper on RTBH (Remotely Triggered Black Hole).  The explains the setup that major ISP have already in place. All you need to do is to provide them with the source IP address or destination IP address and they will route that traffic to NULL thus black holing

http://www.cisco.com/web/about/security/intelligence/blackhole.pdf

-Kureli

Thanks heaps both! I just need to fine tune my threat detection configs on my asa.

That whitepaper is a scorcher!!

time to null0 all those unwanted chinese and taiwanese traffic! lol

John Ventura
Level 1
Level 1

Hello Kureli,

I have a quick question for you. What is the easiest way to identify a DoS attack and the best way to restore and prevent these type of attacks on a wireless network?

thanks a lot,

- John

Well, it depends on the attack.  Most of them spike the CPU of the box and the unit will start dropping packets. You will notice heavy bandwidth unitlization is this is an internet facing device.

1. If you have NetFlow enabled it might be able to show you the spike in traffic and the sources that are responsible for this.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html

2. Source track is another method:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ipst.html#wp1015331

3. Use categorization acl to see what kind of traffic is overwhelming the device and from where:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.shtml

Follow RFC 2827:

1. Only allow traffic sourced from your network address space to leave the outside interface.

2. Do not allow your network address space from sourcing a packet from the outside.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

You need to try to do everything possible so, the firewall will not see this attack traffic.  Block it at the upstream L-3 device or reach out to the ISP and have them block the traffic at their end.

Read the links that we have included in the previous responses as well.  All of them are worth book marking.

For wireless as well as wired networks, most of the companies and schools do, some sort of content filtering to stop them from getting infected.

-Kureli

Hi Kureli,

How to we detect and stop any network scan activities (using nmap or any other tools) automatically using cisco IPS and firewalls.(or any other security devices)?

Are there any default signatures what detect those types of scans or do we need to configure some custom signatures to detect such activties..

thanks in advance.

Pemasirid,

Like Omar mentioned above you could use TD (Threat Detection) on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/protect_threat.html#wp1096812

On the IPS, as you can see here:

http://tools.cisco.com/security/center/search.x?currentPage=&itemsPerPage=15&toggle=2&search=Signature&keyWords=nmap&selectedCriteria=O&date1=&date2=&severity=1+-+5&urgency=1+-+5&sigDate1=&sigDate2=&alarmSeverity=All&release=

3002/0TCP SYN Port SweepMarch 07, 2012LowS630
5725/0Novell NMAP Agent Buffer OverflowFebruary 09, 2012HighS624
4062/0Cisco CSS 11000 Malformed UDP DoSAugust 26, 2011MediumS591
4001/0UDP Port SweepJune 13, 2011HighS573
4003/0Nmap UDP Port SweepAugust 06, 2009HighS423
3003/0TCP Frag SYN Port SweepMarch 26, 2009HighS388
3046/0NMAP OS FingerprintMay 01, 2001MediumS3

3002, 4001, 4003, 3003 and 3046 are the ones that you would want to enable.

-Kureli

Hi Kureli,

Thanks a lot for your response on my post, this will be really in handy.

In fact we were asked by one of our clients that they did network scan but they failed to find that activity on their security devices.

Regards,

Pemasiri

Hi was wondering if there were any syslogs messages for DOS attacks?

Every packet that the ASA sees will be logged. It depends on what level of logging is configured and what feature logging you expect and what kind of attack it is.

Here is the syslog guide link:

http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logsevp.html#wp1009233

Here is the Thread Detection Feature link:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html

Look for "syslog" in that above link.

If the packets are dropped due to asp drop then you can see them when you issue "sh asp drop" after a "clear asp drop"

Here is command reference for that:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s2.html#wp1471978

-Kureli

siddhartham
Level 4
Level 4

Hello Kureli,

I have few questions about ASA threat detection and DOS attack prevention.

1.Can we use class-maps or route-maps on the ASA to dynamically learn an IP adress that sends more than certain number of HTTP requests/sec and block that IP for certain time period?

2.We have basic threat detection enabled on our ASA and getting a lot of SCAN threshold exceeded alerts, is it possible to find out which hosts are exceeding the thresholds without shunning them?--TAC said only way to find out the hosts is to shun them, then only they will show up in ASA.

<164>Jun 13 2012 13:09:05: %ASA-4-733100: [ Scanning] drop rate-1  exceeded. Current burst rate is 12 per second, max configured rate is  10; Current average rate is 15 per second, max configured rate is 5;  Cumulative total count is 9083

Siddhartha

Hello Siddhartham,

1. What you can do is say for example you have a webserver behind the ASA, you can configure acl/class-map and set connection

per-client-max and

per-client-embryonic-max

for that particular class.  What you are asking is possible with the IDS device.  With the ASA you can limit as to how many connections each host can establish with a server that the ASA is protecting.

Refer this link:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s1.html#wp1447178

2. Check this command out will show you about the scanning host:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s7.html#wp1330552

The following is sample output from the show threat-detection scanning-threat command:

hostname# show threat-detection scanning-threat

Latest Target Host & Subnet List:

    192.168.1.0

    192.168.1.249

   Latest Attacker Host & Subnet List:

    192.168.10.234

    192.168.10.0

    192.168.10.2

    192.168.10.3

    192.168.10.4

    192.168.10.5

    192.168.10.6

    192.168.10.7

    192.168.10.8

    192.168.10.9

-Kureli

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: