06-01-2012 09:24 AM - edited 03-11-2019 04:14 PM
With Kureli Sankar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco expert Kureli Sankar how to identify and mitigate network attacks.
Kureli Sankar is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software. Prior to joining Cisco, Sankar worked for the John Morrell Co., where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate level networking courses. Sankar holds an engineering degree in electrical and electronic engineering from Regional Engineering College, Trichirappalli, India, and holds CCSP and CCIE Security #35505 certifications.
Remember to use the rating system to let Kureli know if you have received an adequate response.
Kureli might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through June 15, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
06-02-2012 05:38 AM
apart from using the SSM, is there any other way I could prevent nmaps on my asa wan interface??
06-03-2012 08:03 AM
Hello Mikull,
If you are asking about the IPS module, the packet may not even reach the module, depending on the other checks it has to go through.
Unless you have other devices in the perimeter to detect these sort of attacks, the ASA will simply drop these packets when they arrive.
-Kureli
06-03-2012 08:04 PM
Kureli did an excellent job summarizing this. I would like to add some notes/thoughts. There are several ways that you can protect against scanners on the Cisco ASA (this includes protection against nmap scan and others). Some types of active scans depend on logical network location and will not work though a firewall / IPS depending on your configuration. First you can protect against spoofed scans by usint the Unicast Reverse Path Forwarding (uRPF) feature on the outside interface. Unicast RPF protects against IP spoofing by making sure that all packets have a source IP address that matches the correct source interface according to the routing table.
You can also configure the Scanning Threat Detection on the Cisco ASA. The following link includes information on how to protect against scanning attacks using Thread Detection:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/protect_threat.html#wp1072953
In some cases with network scanners, the first TCP packet may not even be a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection takes this into consideration and acts on it by classifying hosts as attackers and automatically shunning them. In most cases, scanners create incomplete sessions and as such they sometimes are already blocked by TCP SYN attack protection and enbryonic protection limits. Now, one thing to highlight is that vulnerability scanning traffic can stress network equipment and may flood links. In some cases, you should block this traffic upstream to even avoid this traffic to enter your network link. There are several service providers that provide this protection to their customers by using the Clean Pipes solution. Clean Pipes allows service providers to offer pervasive DDoS mitigation services on a subscription basis or on-demand. These services provide customers with DDoS protection within the provider cloud, preserving network bandwidth and ensuring the availability of applications and services. Arbor has some information on how the Cisco/Arbor Clean Pipes 2.0 solution works:
http://www.arbornetworks.com/clean-pipes-2-0-a-complete-ddos-defense-solution.html
06-04-2012 04:56 AM
Thanks Omar.
Mikull,
Pls. keep this link handy. Has the details that Omar mentioned above. I thought I included the link in my response but, missed it.
How to identify and mitigate network attacks.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml
As far as what Omar is talking about which is to block the attack traffic from even entering your network, you got to read this very very very interesting white paper on RTBH (Remotely Triggered Black Hole). The explains the setup that major ISP have already in place. All you need to do is to provide them with the source IP address or destination IP address and they will route that traffic to NULL thus black holing
http://www.cisco.com/web/about/security/intelligence/blackhole.pdf
-Kureli
06-08-2012 07:25 PM
Thanks heaps both! I just need to fine tune my threat detection configs on my asa.
That whitepaper is a scorcher!!
time to null0 all those unwanted chinese and taiwanese traffic! lol
06-08-2012 10:01 AM
Hello Kureli,
I have a quick question for you. What is the easiest way to identify a DoS attack and the best way to restore and prevent these type of attacks on a wireless network?
thanks a lot,
- John
06-10-2012 09:02 AM
Well, it depends on the attack. Most of them spike the CPU of the box and the unit will start dropping packets. You will notice heavy bandwidth unitlization is this is an internet facing device.
1. If you have NetFlow enabled it might be able to show you the spike in traffic and the sources that are responsible for this.
2. Source track is another method:
http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ipst.html#wp1015331
3. Use categorization acl to see what kind of traffic is overwhelming the device and from where:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.shtml
Follow RFC 2827:
1. Only allow traffic sourced from your network address space to leave the outside interface.
2. Do not allow your network address space from sourcing a packet from the outside.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
You need to try to do everything possible so, the firewall will not see this attack traffic. Block it at the upstream L-3 device or reach out to the ISP and have them block the traffic at their end.
Read the links that we have included in the previous responses as well. All of them are worth book marking.
For wireless as well as wired networks, most of the companies and schools do, some sort of content filtering to stop them from getting infected.
-Kureli
06-10-2012 02:23 PM
Hi Kureli,
How to we detect and stop any network scan activities (using nmap or any other tools) automatically using cisco IPS and firewalls.(or any other security devices)?
Are there any default signatures what detect those types of scans or do we need to configure some custom signatures to detect such activties..
thanks in advance.
06-12-2012 01:40 PM
Pemasirid,
Like Omar mentioned above you could use TD (Threat Detection) on the ASA:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/protect_threat.html#wp1096812
On the IPS, as you can see here:
3002/0 | TCP SYN Port Sweep | March 07, 2012 | Low | S630 |
5725/0 | Novell NMAP Agent Buffer Overflow | February 09, 2012 | High | S624 |
4062/0 | Cisco CSS 11000 Malformed UDP DoS | August 26, 2011 | Medium | S591 |
4001/0 | UDP Port Sweep | June 13, 2011 | High | S573 |
4003/0 | Nmap UDP Port Sweep | August 06, 2009 | High | S423 |
3003/0 | TCP Frag SYN Port Sweep | March 26, 2009 | High | S388 |
3046/0 | NMAP OS Fingerprint | May 01, 2001 | Medium | S3 |
3002, 4001, 4003, 3003 and 3046 are the ones that you would want to enable.
-Kureli
06-13-2012 01:30 AM
Hi Kureli,
Thanks a lot for your response on my post, this will be really in handy.
In fact we were asked by one of our clients that they did network scan but they failed to find that activity on their security devices.
Regards,
Pemasiri
06-13-2012 02:15 PM
Hi was wondering if there were any syslogs messages for DOS attacks?
06-14-2012 07:51 PM
Every packet that the ASA sees will be logged. It depends on what level of logging is configured and what feature logging you expect and what kind of attack it is.
Here is the syslog guide link:
http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logsevp.html#wp1009233
Here is the Thread Detection Feature link:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html
Look for "syslog" in that above link.
If the packets are dropped due to asp drop then you can see them when you issue "sh asp drop" after a "clear asp drop"
Here is command reference for that:
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s2.html#wp1471978
-Kureli
06-13-2012 11:14 AM
Hello Kureli,
I have few questions about ASA threat detection and DOS attack prevention.
1.Can we use class-maps or route-maps on the ASA to dynamically learn an IP adress that sends more than certain number of HTTP requests/sec and block that IP for certain time period?
2.We have basic threat detection enabled on our ASA and getting a lot of SCAN threshold exceeded alerts, is it possible to find out which hosts are exceeding the thresholds without shunning them?--TAC said only way to find out the hosts is to shun them, then only they will show up in ASA.
<164>Jun 13 2012 13:09:05: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 12 per second, max configured rate is 10; Current average rate is 15 per second, max configured rate is 5; Cumulative total count is 9083
06-14-2012 08:03 PM
Hello Siddhartham,
1. What you can do is say for example you have a webserver behind the ASA, you can configure acl/class-map and set connection
per-client-max and
per-client-embryonic-max
for that particular class. What you are asking is possible with the IDS device. With the ASA you can limit as to how many connections each host can establish with a server that the ASA is protecting.
Refer this link:
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s1.html#wp1447178
2. Check this command out will show you about the scanning host:
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s7.html#wp1330552
The following is sample output from the show threat-detection scanning-threat command:
hostname# show threat-detection scanning-threat
Latest Target Host & Subnet List:
192.168.1.0
192.168.1.249
Latest Attacker Host & Subnet List:
192.168.10.234
192.168.10.0
192.168.10.2
192.168.10.3
192.168.10.4
192.168.10.5
192.168.10.6
192.168.10.7
192.168.10.8
192.168.10.9
-Kureli
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide