Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Protected servers under syn attack!!

The firewall dashboard has a window at the right lower portion of ASDM and it displays Top 10 protected servers under SYN attack.  Refer to the attached picture.

In this scenario the server IP 82.214.154.223 seems to be getting SYN attacks from one of my internal network PC. This server 82.214.154.223 does not belong to us, a whois query tells me that the IP originates from Poland with no hostname address.

I should have been seeing attacks only for servers belonging to my network right? Like an attack from Outside public IP towards my Server public IP, or is it that this feature provides two way statistics where it also displays attack originating from my lan towards outside world. From what I see, I feel it displays two way attacks. Correct me if I am wrong.

Regards

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Protected servers under syn attack!!

Yes, it is protecting both directions of the traffic passing through the ASA, inbound and outbound by default.

It looks like your internal host is attacking the 82.214.154.223 host, or it might be some software that is trying to reach 82.214.154.223, however, this host is not responding. Might be peer to peer file sharing or other similar sort of application.

There are different types and features of threat detection, and here is more information for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html

Hope that helps.

2 REPLIES
Super Bronze

Re: Protected servers under syn attack!!

Yes, it is protecting both directions of the traffic passing through the ASA, inbound and outbound by default.

It looks like your internal host is attacking the 82.214.154.223 host, or it might be some software that is trying to reach 82.214.154.223, however, this host is not responding. Might be peer to peer file sharing or other similar sort of application.

There are different types and features of threat detection, and here is more information for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html

Hope that helps.

New Member

Protected servers under syn attack!!

Hi,

below is the output of the # sh threat-detection rate command. can anyone explain me the vulnerabilities and risks by looking at the figures below. thanks

                          Average(eps)    Current(eps) Trigger      Total events

  10-min ACL  drop:                  1               0       0               672

  1-hour ACL  drop:                  1               0       0              4654

  10-min SYN attck:                  0               0       0               386

  1-hour SYN attck:                  0               0       0              3428

  10-min  Scanning:                  2               1   55503              1248

  1-hour  Scanning:                  2               2   18455              9177

  10-min Bad  pkts:                  0               0       0               184

  1-hour Bad  pkts:                  0               0       0              1089

  10-min  Firewall:                  1               0       0               862

  1-hour  Firewall:                  1               1       0              5749

  10-min DoS attck:                  0               0       0                 6

  1-hour DoS attck:                  0               0       0                 6

  10-min Interface:                  1               0       0              1034

  1-hour Interface:                  1               1       0              6616

regards,

AAMIR

8484
Views
0
Helpful
2
Replies