topic Re: Scanning Attacks & Syn Attacks in Network Security

Scanning Attacks & Syn Attacks

netperception — Mon, 11 Mar 2019 13:26:03 GMT

Hey all, I have enabled basic threat detection, and also enabled auto shun in hopes to speed up our web server. Using the CLI I have found 2 latest attack host list and 1 in the latest target host list. But nothing in the shun list. I understand that the shun list is enabled once some thresholds are exceeded but I've got nothing shun'ed yet. And my possible scan and Syn attack rates is always fluctuating from 1 - 25. Is there something I've missed?

Re: Scanning Attacks & Syn Attacks

robertson.michael — Tue, 05 Aug 2008 21:22:55 GMT

Hi,

I would recommend checking out the config guide for threat-detection:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/protect.html#wp1072953

Specifically, you'll need the following command before the ASA will automatically shun attackers:

ASA(config)# threat-detection scanning-threat shun

If everything looks like it is in order, please post the output of 'show run threat'

-Mike

Re: Scanning Attacks & Syn Attacks

netperception — Wed, 06 Aug 2008 13:39:39 GMT

Result of the command: "show run threat"

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

Re: Scanning Attacks & Syn Attacks

netperception — Wed, 06 Aug 2008 14:17:06 GMT

threat-detection basic-threat

threat-detection scanning-threat shun except ip-address INT.21_SERVER1_ALPHA 255.255.255.255

threat-detection statistics

Re: Scanning Attacks & Syn Attacks

robertson.michael — Wed, 06 Aug 2008 16:59:14 GMT

Hi,

In your previous post, you did not have 'threat-detection scanning-threat shun' enabled. However, in the second post you do. Was this showing the change you made?

With the 'threat-detection scanning-threat shun' command do you still not see attackers being shunned?

-Mike

Re: Scanning Attacks & Syn Attacks

netperception — Wed, 06 Aug 2008 17:28:29 GMT

Result of the command: "threat-detection scanning-threat shun"

The command has been sent to the device

....

Result of the command: "show threat-detection scanning-threat"

Latest Target Host List:

207.61.11.0

Latest Attacker Host List:

INT.21_SERVER1_ALPHA

Re: Scanning Attacks & Syn Attacks

robertson.michael — Wed, 06 Aug 2008 17:33:46 GMT

Hi,

So does 'show threat-detection shun' show the attacker being shunned?

-Mike

Re: Scanning Attacks & Syn Attacks

netperception — Wed, 06 Aug 2008 17:47:35 GMT

Hey, sorry. Thanks btw. I did make a change after I read your first email. It made sense that nothing was being shun'ed till I turned it on through the CLI. But what led me to believe I had it turned on was that i use the desktop application to administor this and I had checked the shun check box.

To answer 'do I see attackers in my shun list'. No, for some reason I still do not, and my graph is so erratic. Fluctuates from 0 to 14 for scanning and 0 to 3 for syn. When I posted the results of 2 cli commands the first one shows some possibles, and it shows nothing is being shun'ed.

Re: Scanning Attacks & Syn Attacks

robertson.michael — Wed, 06 Aug 2008 21:18:25 GMT

Hi,

The attacker list that you posted shows:

Latest Attacker Host List:

INT.21_SERVER1_ALPHA

However, the configuration you posted was:

threat-detection scanning-threat shun except ip-address INT.21_SERVER1_ALPHA 255.255.255.255

The above line means that we should shun all attacking hosts *except* INT.21_SERVER1_ALPHA. Therefore, since this is currently the only host in the attacker list, we will not shun this host.

Do you want to shun the INT.21_SERVER1_ALPHA host? If not, your configuration is correct. If you do not want shun this host, you'd want to configure the following commands:

ASA(config)# no threat-detection scanning-threat shun except ip-address INT.21_SERVER1_ALPHA 255.255.255.255

ASA(config)# threat-detectoin scanning-threat shun

ASA# wr mem

Hope that helps.

-Mike

Re: Scanning Attacks & Syn Attacks

netperception — Thu, 07 Aug 2008 12:05:24 GMT

Sure does help. My main concern is that we haven't blocked anyone yet. And the scan syn attack chart goes between 0 and 4 hiting over 10 atleast a few times an hour (but would have to verify). The chart hits 0, but most of the time is running around 1.

I just had a thought, you think the chart includes the exempted ips? So say if there's 3 that I know of and I exempt them, and they were the only ones the chart would show the exempts?

Re: Scanning Attacks & Syn Attacks

robertson.michael — Thu, 07 Aug 2008 23:01:26 GMT

Hi,

Yes, that chart will include all attackers since these are based on the statistics calculated by threat-detection. Once the attackers are established and known, it will decide whether or not to shun them based on whether or not you explicitly exempt them.

If you remove the exempt portion threat-detection command, you should see that the attacker is then shunned.

Hope that helps.

-Mike

Re: Scanning Attacks & Syn Attacks

netperception — Fri, 08 Aug 2008 12:44:57 GMT

Thanks Mike. I'm beginning to see hosts that are shunned. and after doing background look-up (whois stuff) on them prior I knew they were bad and now they are shunned. I guess what I had read was ok as it was a static explanation but your real time explanation matched with what happened last couple days for a great resolution.

Now, dare I ask,... have you found yourself changing any of the threshold values?

Chuck

Re: Scanning Attacks & Syn Attacks

netperception — Fri, 08 Aug 2008 12:48:04 GMT

Kind of a cross post, but I have about 6 or so known IP's showing up in the top usage pie chart. I don't really care to conviently see them so is there a way to exclude the 6 ips (I even named them), so I can see the the top usage of other IP's?

I'm also reading the cli documentation but lots to read, is there a cli command to list the top X usage by ip&packets?

Re: Scanning Attacks & Syn Attacks

robertson.michael — Fri, 08 Aug 2008 20:30:24 GMT

Hi Chuck,

Here are the answers to your questions:

1. The default scanning rates are typically fine for most people, though you can adjust them with the 'threat-detection rate' command.

2. Unfortunately, there is no way to exclude these IP addresses from showing up in the statistics.

3. When 'threat-detection statistics' is enabled, you can issue the 'show threat-detection statistics top host' command. This will show you the top source and destination IP addresses and the packet rates for each.

Hope that helps.

-Mike

Re: Scanning Attacks & Syn Attacks

netperception — Mon, 11 Aug 2008 13:14:19 GMT

Yes, thanks again. But I guess even in the CLI I can not view more then the top 10?

Re: Scanning Attacks & Syn Attacks

robertson.michael — Mon, 11 Aug 2008 22:06:18 GMT

Hi Chuck,

Yes, that's correct. You'll only get the top 10.

-Mike