Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1448
Views
5
Helpful
6
Replies

ASA 5505 Shunning help

Go to solution
Mark^
Level 1
Level 1

‎10-15-2014 07:22 AM - edited ‎03-11-2019 09:56 PM

I have read a few posts regarding shunning already.  I just don't feel like the ASA is shunning as much as I'd like it to.  In fact - it doesn't ever seem to shun anything unless I manually add it.

Running 8.3(2)13

My config looks like this:

Result of the command: "show run | include threat"

threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45
no threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address x.x.x.x x.x.x.x
threat-detection scanning-threat shun except ip-address x.x.x.x x.x.x.x
threat-detection scanning-threat shun duration 18000
threat-detection statistics host
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

I am just looking for feedback or tips on what I should do to improve on this and begin to actually shun scans, etc.  What are others seeing and what do those configs look like?

Thanks.

Mark
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Mark^

‎10-17-2014 06:11 AM

Hi,

You have to understand that these values are actually the rate at which packets are dropped/denied on the ASA device due to policy check failures.

It will be different for every other network depending on the traffic passing through and different access/deny policies.

You can lower the values of these counters and check for which value you are seeing the correct SHUN behavior. This has to be done on hit and trial basis.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎10-15-2014 10:40 PM

Hi,

You can actually fine tune the statistics on the ASA device.

You can check the default values using this command:-

show run all threat-detection

This would show you all the default counters values on the ASA device which ASA would use for shunning the IP on the ASA device.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
Mark^
Level 1
Level 1
In response to Vibhor Amrodia

‎10-16-2014 07:02 AM

ok perfect.  That gives me this (I edited since previous post):

 show run all threat-detection
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address x.x.x.x x.x.x.x
threat-detection scanning-threat shun except ip-address x.x.x.x x.x.x.x
threat-detection scanning-threat shun duration 18000
threat-detection statistics host number-of-rate 1
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

But I am wondering if these thresholds should/could be lower?  I see scanning in the logs that I would like to see shunned.  I know the firewall is working and blocking where appropriate, but I would like to shun these malicious IP address.

 

Mark
0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Mark^

‎10-17-2014 03:41 AM

Hi,

Yes , these values can be modified on the ASA device. The value depends on your requirement and your setup.

Thanks and Regards,

Vibhor Amrodia

Go to solution
Mark^
Level 1
Level 1
In response to Vibhor Amrodia

‎10-17-2014 05:58 AM

Yes, that is what I am seeking help on.  I am looking for suggestions/tips on what to change these values to as these defaults are not effective enough.  Nothing is ever shunned unless I manually add an IP to shun.

Mark
0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Mark^

‎10-17-2014 06:11 AM

Hi,

You have to understand that these values are actually the rate at which packets are dropped/denied on the ASA device due to policy check failures.

It will be different for every other network depending on the traffic passing through and different access/deny policies.

You can lower the values of these counters and check for which value you are seeing the correct SHUN behavior. This has to be done on hit and trial basis.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
Mark^
Level 1
Level 1
In response to Vibhor Amrodia

‎10-17-2014 06:22 AM

Ok, I can accept that.  I was hoping for a working example but I see that may be useless to me anyway.

Thanks for your help Vibhor, it is much appreciated!

Mark
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card