ASA 5585 - Can I shun syn attacks as well as scanning threats?

brianhill88 — Tue, 12 Mar 2019 03:57:20 GMT

Hello,

I see that with threat-detection enabled and configured, I can use the "threat-detection scanning-threat shun duration [time in seconds]" to shun IPs that are scanning for open ports.

Is there a way to shun syn-attacks that I have a threshold set for?

For example I can configure this:

threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45

But I don't see an option to "threat-detection syn-attack shun".

This is on a 5585 running 8.2(5).

Thank you

The answer to this is you can

brianhill88 — Thu, 20 Mar 2014 16:04:00 GMT

The answer to this is you can not. At least not in this way.

What you can do is create a policy-map on the outside interface (or add a class-map if you already have an existing policy-map on the outside) and under connection settings limit the amount of per client embryonic connections.

topic ASA 5585 - Can I shun syn attacks as well as scanning threats? in Network Security

ASA 5585 - Can I shun syn attacks as well as scanning threats?

The answer to this is you can