topic threat detection and frequent disconnection in Network Security

threat detection and frequent disconnection

roussillon — Mon, 11 Mar 2019 21:00:18 GMT

Hi all

Can threat detection provoque frequent disconnections on allowed traffic?

We are using asa 5520 with 8.3.1 IOS

For instance in ASDM we see SYN attack messages .The source ip address correspond to external an external host (in the outside interface) wich is allowed to connect to internal servers(in the internal interfaces).

Our threat conf is as follow:

threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800

threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640

threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400

threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate scanning-threat rate-interval 600 average-rate 500 burst-rate 1000

threat-detection rate scanning-threat rate-interval 3600 average-rate 500 burst-rate 1000

threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200

threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160

threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600

threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280

threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000

threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400

threat-detection basic-threat

threat-detection statistics port number-of-rate 1

threat-detection statistics protocol number-of-rate 1

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

Thanks

threat detection and frequent disconnection

varrao — Tue, 19 Jul 2011 02:09:57 GMT

Hi Roussillon,

Yes definitely it is one of the possiblities, if the firewall sees a lot of connection request coming from the trusted host as well, it would perceive it to be a threat and give you the logs, there might be cases of internet disconnect as well.

Try taking the logs, and captures when the internet gets disconnected.

-Varun

threat detection and frequent disconnection

roussillon — Tue, 19 Jul 2011 13:38:04 GMT

I disable basic threat detection with the command:

no threat-detection basic-threat

But user get disconnected as well.

How can I disable threat detection?

Thanks

threat detection and frequent disconnection

roussillon — Thu, 21 Jul 2011 09:44:09 GMT

Hi all

Can someone please tell how to stop or properly configuring threat detection apparently the basic setting are not good for production?

Thanks

Re: threat detection and frequent disconnection

varrao — Thu, 21 Jul 2011 15:32:44 GMT

Hi Roussillon,

We first need to identify the exact reason for drops, if this disconnects are so frequent then you first need to check the logs that you get at the time of the disconnect on the disconnect. If the logs say something like this:

"%ASA-4-733100: [Interface] drop rate 1 exceeded. Current burst rate is 1 per second, max configured rate is 8000; Current average rate is 2030 per second, max configured rate is 2000; Cumulative total count is 3930654."

For a scanning drop caused by potential attacks:

"ASA-4-733100: [Scanning] drop rate-1 exceeded. Current burst rate is 10 per second_max configured rate is 10; Current average rate is 245 per second_max configured rate is 5; Cumulative total count is 147409 (35 instances received)

For bad packets caused by potential attacks:

"%ASA-4-733100: [Bad pkts] drop rate 1 exceeded. Current burst rate is 0 per second, max configured rate is 400; Current average rate is 760 per second, max configured rate is 100; Cumulative total count is 1938933"

Maybe the legitimate outside host is sending requests which is exceeding the normal value defined in the threat-detection. If so we can create an exception for that particular host in the threat-detection, so that it is always allowed.

Moreover could you tell me if you are using any IPS module with the ASA??

Thanks,

Varun

Re: threat detection and frequent disconnection

roussillon — Sat, 23 Jul 2011 13:52:22 GMT

Hi Varun,

Thanks for your help.

We are not using any IPS module

I am logging all warning messages(severity=4) to a syslog server when I do a search for messages I can not find %ASA-4-733100 nor %ASA-4-733101. In the logs there are message like %ASA-4-106023 or %ASA-4-31300, but not those we are looking for.

I'am also logging messages 733100 & 733101 to console but nothing get logged.

I did as follow:

logging list notify-threat message 733100-733101

logging monitor notify-threat

term monitor

Nevertheless the command show threat-detection rate syn-attack show:

Average(eps) current(eps) trigger Total events

10-min SYN attck 0 0 2 12

I understand That an exception can be configured if scanning threat detection is enable with the command:

threat-detection scanning-threat  [shun [except {ip-address ip_address mask | object-group network_object_group_id}]]

But in our ASA scanning-threat is not active. That's why I do not understand why connections get interrupted

I have noticed that connections comming from host with their own public ip address are less impacted, but really less impacted. I configure a computer with a public ip address(not nat, no ip masquerading), then I started annyconnect client and it stayed connected during 28 hours. It was me who stop the connection.

Thanks

Re: threat detection and frequent disconnection

roussillon — Wed, 27 Jul 2011 05:47:48 GMT

can someone help us please? this is really urgent and enoyng.

how can we just make threat detection disapear??

thanks

threat detection and frequent disconnection

varrao — Wed, 27 Jul 2011 06:42:39 GMT

Hi Roussillon,

If you really wanna disable all the thread detection on the firewall, then you can just put a no in front of the threat-detection statements and disable them or use "clear configure threat-detection" to clear all the commands:

http://www.cisco.com/en/US/customer/docs/security/asa/asa82/command/reference/c2.html#wp2400005

Thanks,

Varun

Re: threat detection and frequent disconnection

roussillon — Wed, 17 Aug 2011 11:24:09 GMT

sorry if i answer late, but I was out off office.

I tried both method but nothing works.

Do you know if ASA can do Save reset?

Thanks

threat detection and frequent disconnection

varrao — Wed, 17 Aug 2011 15:56:07 GMT

You were not at all able to delete the threat-detection on the ASA, even after doing "clear configure threat-detcetion" ???

Well do you have any IPS device in the network???

Can you share your configuration from ASA and also the output " show module".

-Varun

threat detection and frequent disconnection

roussillon — Wed, 17 Aug 2011 20:09:21 GMT

Hi,

Indeed in ASDM we see SYN attack messages. But I think it is not the real problem.

The problem occurs when à user behind à box doing NAT connects to a server with a natted ip behind the ASA. I would say double NAT.

This is the output of the command show module

Mod Card Type Model

--- -------------------------------------------- ------------------

0 ASA 5520 Adaptive Security Appliance ASA5520

Mod MAC Address Range Hw Version Fw Version Sw Version

--- --------------------------------- ------------ ------------ ---------------

0 c47d.4f3b.6b15 to c47d.4f3b.6b19 2.0 1.0(11)5 8.3(1)

Mod SSM Application Name Status SSM Application Version

--- ------------------------------ ---------------- --------------------------

Mod Status Data Plane Status Compatibility

--- ------------------ --------------------- -------------

0 Up Sys Not Applicable

Thanks

threat detection and frequent disconnection

varrao — Thu, 18 Aug 2011 02:24:49 GMT

Hi,

i am not sure now about the real issue, are you not able to access a server on the inside for inside hosts itself??? If that is the case then i woudl need the ip addresses of source and destination and if the inside hosts need to access the server o its natted ip only. It would be great if you can provide an output of :

show run nat

show run global

show run static

show run same

Thanks,

Varun