topic Ask the Expert: Mitigating Network Attacks in Network Security

Ask the Expert: Mitigating Network Attacks

ciscomoderator — Mon, 11 Mar 2019 23:14:32 GMT

With Kureli Sankar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco expert Kureli Sankar how to identify and mitigate network attacks.

Kureli Sankar is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software. Prior to joining Cisco, Sankar worked for the John Morrell Co., where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate level networking courses. Sankar holds an engineering degree in electrical and electronic engineering from Regional Engineering College, Trichirappalli, India, and holds CCSP and CCIE Security #35505 certifications.

Remember to use the rating system to let Kureli know if you have received an adequate response.

Kureli might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through June 15, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

Re: Ask the Expert: Mitigating Network Attacks

mikull.kiznozki — Sat, 02 Jun 2012 12:38:52 GMT

apart from using the SSM, is there any other way I could prevent nmaps on my asa wan interface??

Ask the Expert: Mitigating Network Attacks

Kureli Sankar — Sun, 03 Jun 2012 15:03:54 GMT

Hello Mikull,

If you are asking about the IPS module, the packet may not even reach the module, depending on the other checks it has to go through.

Unless you have other devices in the perimeter to detect these sort of attacks, the ASA will simply drop these packets when they arrive.

-Kureli

Ask the Expert: Mitigating Network Attacks

Omar Santos — Mon, 04 Jun 2012 03:04:36 GMT

Kureli did an excellent job summarizing this. I would like to add some notes/thoughts. There are several ways that you can protect against scanners on the Cisco ASA (this includes protection against nmap scan and others). Some types of active scans depend on logical network location and will not work though a firewall / IPS depending on your configuration. First you can protect against spoofed scans by usint the Unicast Reverse Path Forwarding (uRPF) feature on the outside interface. Unicast RPF protects against IP spoofing by making sure that all packets have a source IP address that matches the correct source interface according to the routing table.

You can also configure the Scanning Threat Detection on the Cisco ASA. The following link includes information on how to protect against scanning attacks using Thread Detection:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/protect_threat.html#wp1072953

In some cases with network scanners, the first TCP packet may not even be a SYN packet, or the TCP connection failed the 3-way handshake. Full scanning threat detection takes this into consideration and acts on it by classifying hosts as attackers and automatically shunning them. In most cases, scanners create incomplete sessions and as such they sometimes are already blocked by TCP SYN attack protection and enbryonic protection limits. Now, one thing to highlight is that vulnerability scanning traffic can stress network equipment and may flood links. In some cases, you should block this traffic upstream to even avoid this traffic to enter your network link. There are several service providers that provide this protection to their customers by using the Clean Pipes solution. Clean Pipes allows service providers to offer pervasive DDoS mitigation services on a subscription basis or on-demand. These services provide customers with DDoS protection within the provider cloud, preserving network bandwidth and ensuring the availability of applications and services. Arbor has some information on how the Cisco/Arbor Clean Pipes 2.0 solution works:

http://www.arbornetworks.com/clean-pipes-2-0-a-complete-ddos-defense-solution.html

Re: Ask the Expert: Mitigating Network Attacks

Kureli Sankar — Mon, 04 Jun 2012 11:56:17 GMT

Thanks Omar.

Mikull,

Pls. keep this link handy. Has the details that Omar mentioned above. I thought I included the link in my response but, missed it.

How to identify and mitigate network attacks.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml

As far as what Omar is talking about which is to block the attack traffic from even entering your network, you got to read this very very very interesting white paper on RTBH (Remotely Triggered Black Hole). The explains the setup that major ISP have already in place. All you need to do is to provide them with the source IP address or destination IP address and they will route that traffic to NULL thus black holing

http://www.cisco.com/web/about/security/intelligence/blackhole.pdf

-Kureli

Ask the Expert: Mitigating Network Attacks

John Ventura — Fri, 08 Jun 2012 17:01:32 GMT

Hello Kureli,

I have a quick question for you. What is the easiest way to identify a DoS attack and the best way to restore and prevent these type of attacks on a wireless network?

thanks a lot,

- John

Ask the Expert: Mitigating Network Attacks

mikull.kiznozki — Sat, 09 Jun 2012 02:25:31 GMT

Thanks heaps both! I just need to fine tune my threat detection configs on my asa.

That whitepaper is a scorcher!!

time to null0 all those unwanted chinese and taiwanese traffic! lol

Ask the Expert: Mitigating Network Attacks

Kureli Sankar — Sun, 10 Jun 2012 16:02:52 GMT

Well, it depends on the attack. Most of them spike the CPU of the box and the unit will start dropping packets. You will notice heavy bandwidth unitlization is this is an internet facing device.

1. If you have NetFlow enabled it might be able to show you the spike in traffic and the sources that are responsible for this.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html

2. Source track is another method:

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/ipst.html#wp1015331

3. Use categorization acl to see what kind of traffic is overwhelming the device and from where:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080149ad6.shtml

Follow RFC 2827:

1. Only allow traffic sourced from your network address space to leave the outside interface.

2. Do not allow your network address space from sourcing a packet from the outside.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml

You need to try to do everything possible so, the firewall will not see this attack traffic. Block it at the upstream L-3 device or reach out to the ISP and have them block the traffic at their end.

Read the links that we have included in the previous responses as well. All of them are worth book marking.

For wireless as well as wired networks, most of the companies and schools do, some sort of content filtering to stop them from getting infected.

-Kureli

Ask the Expert: Mitigating Network Attacks

pemasirid — Sun, 10 Jun 2012 21:23:05 GMT

Hi Kureli,

How to we detect and stop any network scan activities (using nmap or any other tools) automatically using cisco IPS and firewalls.(or any other security devices)?

Are there any default signatures what detect those types of scans or do we need to configure some custom signatures to detect such activties..

thanks in advance.

Ask the Expert: Mitigating Network Attacks

Kureli Sankar — Tue, 12 Jun 2012 20:40:36 GMT

Pemasirid,

Like Omar mentioned above you could use TD (Threat Detection) on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/protect_threat.html#wp1096812

On the IPS, as you can see here:

http://tools.cisco.com/security/center/search.x?currentPage=&itemsPerPage=15&toggle=2&search=Signature&keyWords=nmap&selectedCriteria=O&date1=&date2=&severity=1+-+5&urgency=1+-+5&sigDate1=&sigDate2=&alarmSeverity=All&release=

3002/0	TCP SYN Port Sweep	March 07, 2012	Low	S630
5725/0	Novell NMAP Agent Buffer Overflow	February 09, 2012	High	S624
4062/0	Cisco CSS 11000 Malformed UDP DoS	August 26, 2011	Medium	S591
4001/0	UDP Port Sweep	June 13, 2011	High	S573
4003/0	Nmap UDP Port Sweep	August 06, 2009	High	S423
3003/0	TCP Frag SYN Port Sweep	March 26, 2009	High	S388
3046/0	NMAP OS Fingerprint	May 01, 2001	Medium	S3

3002, 4001, 4003, 3003 and 3046 are the ones that you would want to enable.

-Kureli

Ask the Expert: Mitigating Network Attacks

pemasirid — Wed, 13 Jun 2012 08:30:06 GMT

Hi Kureli,

Thanks a lot for your response on my post, this will be really in handy.

In fact we were asked by one of our clients that they did network scan but they failed to find that activity on their security devices.

Regards,

Pemasiri

Ask the Expert: Mitigating Network Attacks

siddhartham — Wed, 13 Jun 2012 18:14:45 GMT

Hello Kureli,

I have few questions about ASA threat detection and DOS attack prevention.

1.Can we use class-maps or route-maps on the ASA to dynamically learn an IP adress that sends more than certain number of HTTP requests/sec and block that IP for certain time period?

2.We have basic threat detection enabled on our ASA and getting a lot of SCAN threshold exceeded alerts, is it possible to find out which hosts are exceeding the thresholds without shunning them?--TAC said only way to find out the hosts is to shun them, then only they will show up in ASA.

<164>Jun 13 2012 13:09:05: %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 12 per second, max configured rate is 10; Current average rate is 15 per second, max configured rate is 5; Cumulative total count is 9083

Ask the Expert: Mitigating Network Attacks

John Peterson — Wed, 13 Jun 2012 21:15:28 GMT

Hi was wondering if there were any syslogs messages for DOS attacks?

Ask the Expert: Mitigating Network Attacks

Kureli Sankar — Fri, 15 Jun 2012 02:51:31 GMT

Every packet that the ASA sees will be logged. It depends on what level of logging is configured and what feature logging you expect and what kind of attack it is.

Here is the syslog guide link:

http://www.cisco.com/en/US/docs/security/asa/asa83/system/message/logsevp.html#wp1009233

Here is the Thread Detection Feature link:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html

Look for "syslog" in that above link.

If the packets are dropped due to asp drop then you can see them when you issue "sh asp drop" after a "clear asp drop"

Here is command reference for that:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s2.html#wp1471978

-Kureli

Ask the Expert: Mitigating Network Attacks

Kureli Sankar — Fri, 15 Jun 2012 03:03:03 GMT

Hello Siddhartham,

1. What you can do is say for example you have a webserver behind the ASA, you can configure acl/class-map and set connection

per-client-max and

per-client-embryonic-max

for that particular class. What you are asking is possible with the IDS device. With the ASA you can limit as to how many connections each host can establish with a server that the ASA is protecting.

Refer this link:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s1.html#wp1447178

2. Check this command out will show you about the scanning host:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s7.html#wp1330552

The following is sample output from the show threat-detection scanning-threat command:

hostname# show threat-detection scanning-threat

Latest Target Host & Subnet List:

    192.168.1.0

    192.168.1.249

   Latest Attacker Host & Subnet List:

    192.168.10.234

    192.168.10.0

    192.168.10.2

    192.168.10.3

    192.168.10.4

    192.168.10.5

    192.168.10.6

    192.168.10.7

    192.168.10.8

    192.168.10.9

-Kureli

Re: Ask the Expert: Mitigating Network Attacks

emilio1973 — Fri, 15 Jun 2012 08:13:41 GMT

Hi Kureli,

on my ASA, I can see this output:

ASA5520# sh threat-detection rate scanning-threat
                          Average(eps)    Current(eps) Trigger      Total events
10-min Scanning:                  1               3      90               964
1-hour Scanning:                  1               1      21              5303

but with this, I can't see anything:

ASA5520# sh threat-detection scanning-threat target
Latest Target Host & Subnet List:
ASA5520#

ASA5520# sh threat-detection scanning-threat attacker
Latest Attacker Host & Subnet List:

How I can see the address of attackers?

Thanks

Re: Ask the Expert: Mitigating Network Attacks

siddhartham — Fri, 15 Jun 2012 13:31:38 GMT

Its the same thing for my case also, I don't see anything with sh threat-detection scanning-threat attacker command but we are getting around 10 syslog messages every min saying the thresholds are exceeded

ASA/pri/act# sh threat-detection rate scanning-threat

Average(eps) Current(eps) Trigger Total events

10-min Scanning: 3 3 22170 2323

1-hour Scanning: 3 4 5362 12814

ASA/pri/act# sh threat-detection scanning-threat attacker

ASA/pri/act#

Re: Ask the Expert: Mitigating Network Attacks

Kureli Sankar — Fri, 15 Jun 2012 17:43:28 GMT

The command is "show threat-detection scanning-threat"

not "show threat-detection rate scanning-threat"

You can also try the following:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html

hostname# show threat-detection statistics host

                          Average(eps)    Current(eps) Trigger         Total events

Host:10.0.0.1: tot-ses:289235 act-ses:22571 fw-drop:0 insp-drop:0 null-ses:21438 bad-acc:0

1-hour Sent byte: 2938 0 0 10580308

hour Sent byte: 367 0 0 10580308

 24-hour Sent byte:                122          0       0      10580308

-Kureli

Re: Ask the Expert: Mitigating Network Attacks

siddhartham — Fri, 15 Jun 2012 17:49:24 GMT

Yes I tried "show threat-detection scanning-threat" but it didn't produce any output

ASA/pri/act# show threat-detection scanning-threat

ASA/pri/act#

Re: Ask the Expert: Mitigating Network Attacks

Kureli Sankar — Fri, 15 Jun 2012 18:09:50 GMT

Siddhartham,

Today is the last day of this ATE event. I am not sure if I can get to the bottom of this. Would you mind opening a TAC case so, we can take a look at it. Feel free to mention my name on the case.

Pls. copy and paste the "sh run threat" output from the ASA.

May be there aren't any scanning threats at the moment. If the rate exceeded syslog is seen then, you probably have to tweek the settings and increase

Issue "show run all threat-detection".
The number of triggers of different thresholds can be checked in "show
threat-detection rate".

Syslog 733100 is related to scanning-rate, adjusting this parameter should be
able to resolve too many messages showing up in the syslogs.

In this case, tuning the command "threat-detection rate scanning-rate 3600
average-rate 15" stopped too many of these messages being logged. In other
cases one may have to increase the scanning-rate and average-rate to a higher
value.

-Kureli