Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Scanning Attacks & Syn Attacks

Hey all, I have enabled basic threat detection, and also enabled auto shun in hopes to speed up our web server. Using the CLI I have found 2 latest attack host list and 1 in the latest target host list. But nothing in the shun list. I understand that the shun list is enabled once some thresholds are exceeded but I've got nothing shun'ed yet. And my possible scan and Syn attack rates is always fluctuating from 1 - 25. Is there something I've missed?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Scanning Attacks & Syn Attacks

Hi,

Yes, that chart will include all attackers since these are based on the statistics calculated by threat-detection. Once the attackers are established and known, it will decide whether or not to shun them based on whether or not you explicitly exempt them.

If you remove the exempt portion threat-detection command, you should see that the attacker is then shunned.

Hope that helps.

-Mike

15 REPLIES

Re: Scanning Attacks & Syn Attacks

Hi,

I would recommend checking out the config guide for threat-detection:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1072953

Specifically, you'll need the following command before the ASA will automatically shun attackers:

ASA(config)# threat-detection scanning-threat shun

If everything looks like it is in order, please post the output of 'show run threat'

-Mike

New Member

Re: Scanning Attacks & Syn Attacks

Result of the command: "show run threat"

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

New Member

Re: Scanning Attacks & Syn Attacks

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address INT.21_SERVER1_ALPHA 255.255.255.255

threat-detection statistics

Re: Scanning Attacks & Syn Attacks

Hi,

In your previous post, you did not have 'threat-detection scanning-threat shun' enabled. However, in the second post you do. Was this showing the change you made?

With the 'threat-detection scanning-threat shun' command do you still not see attackers being shunned?

-Mike

New Member

Re: Scanning Attacks & Syn Attacks

Result of the command: "threat-detection scanning-threat shun"

The command has been sent to the device

....

Result of the command: "show threat-detection scanning-threat"

Latest Target Host List:

207.61.11.0

Latest Attacker Host List:

INT.21_SERVER1_ALPHA

Re: Scanning Attacks & Syn Attacks

Hi,

So does 'show threat-detection shun' show the attacker being shunned?

-Mike

New Member

Re: Scanning Attacks & Syn Attacks

Hey, sorry. Thanks btw. I did make a change after I read your first email. It made sense that nothing was being shun'ed till I turned it on through the CLI. But what led me to believe I had it turned on was that i use the desktop application to administor this and I had checked the shun check box.

To answer 'do I see attackers in my shun list'. No, for some reason I still do not, and my graph is so erratic. Fluctuates from 0 to 14 for scanning and 0 to 3 for syn. When I posted the results of 2 cli commands the first one shows some possibles, and it shows nothing is being shun'ed.

Re: Scanning Attacks & Syn Attacks

Hi,

The attacker list that you posted shows:

Latest Attacker Host List:

INT.21_SERVER1_ALPHA

However, the configuration you posted was:

threat-detection scanning-threat shun except ip-address INT.21_SERVER1_ALPHA 255.255.255.255

The above line means that we should shun all attacking hosts *except* INT.21_SERVER1_ALPHA. Therefore, since this is currently the only host in the attacker list, we will not shun this host.

Do you want to shun the INT.21_SERVER1_ALPHA host? If not, your configuration is correct. If you do not want shun this host, you'd want to configure the following commands:

ASA(config)# no threat-detection scanning-threat shun except ip-address INT.21_SERVER1_ALPHA 255.255.255.255

ASA(config)# threat-detectoin scanning-threat shun

ASA# wr mem

Hope that helps.

-Mike

New Member

Re: Scanning Attacks & Syn Attacks

Sure does help. My main concern is that we haven't blocked anyone yet. And the scan syn attack chart goes between 0 and 4 hiting over 10 atleast a few times an hour (but would have to verify). The chart hits 0, but most of the time is running around 1.

I just had a thought, you think the chart includes the exempted ips? So say if there's 3 that I know of and I exempt them, and they were the only ones the chart would show the exempts?

Re: Scanning Attacks & Syn Attacks

Hi,

Yes, that chart will include all attackers since these are based on the statistics calculated by threat-detection. Once the attackers are established and known, it will decide whether or not to shun them based on whether or not you explicitly exempt them.

If you remove the exempt portion threat-detection command, you should see that the attacker is then shunned.

Hope that helps.

-Mike

New Member

Re: Scanning Attacks & Syn Attacks

Thanks Mike. I'm beginning to see hosts that are shunned. and after doing background look-up (whois stuff) on them prior I knew they were bad and now they are shunned. I guess what I had read was ok as it was a static explanation but your real time explanation matched with what happened last couple days for a great resolution.

Now, dare I ask,... have you found yourself changing any of the threshold values?

Chuck

New Member

Re: Scanning Attacks & Syn Attacks

Kind of a cross post, but I have about 6 or so known IP's showing up in the top usage pie chart. I don't really care to conviently see them so is there a way to exclude the 6 ips (I even named them), so I can see the the top usage of other IP's?

I'm also reading the cli documentation but lots to read, is there a cli command to list the top X usage by ip&packets?

Re: Scanning Attacks & Syn Attacks

Hi Chuck,

Here are the answers to your questions:

1. The default scanning rates are typically fine for most people, though you can adjust them with the 'threat-detection rate' command.

2. Unfortunately, there is no way to exclude these IP addresses from showing up in the statistics.

3. When 'threat-detection statistics' is enabled, you can issue the 'show threat-detection statistics top host' command. This will show you the top source and destination IP addresses and the packet rates for each.

Hope that helps.

-Mike

New Member

Re: Scanning Attacks & Syn Attacks

Yes, thanks again. But I guess even in the CLI I can not view more then the top 10?

Re: Scanning Attacks & Syn Attacks

Hi Chuck,

Yes, that's correct. You'll only get the top 10.

-Mike

5969
Views
0
Helpful
15
Replies
CreatePlease login to create content