https://community.cisco.com/t5/network-security/port-scans-attacks-on-cisco-asa-slowing-down-internet/m-p/3381803#M958640 <P>Hello,</P> <P>I cannot seem to find a topic for this and perhaps I'm using the wrong searches; so I'm apologizing ahead of time if this is somehow a duplicate discussion.</P> <P>&nbsp;</P> <P>I support a location that has Cisco ASA in place and periodically their internet bandwidth drops tremendously, to the point that the internet is not usable.&nbsp; I monitor their router speeds for traffic in and out and during these times bandwidth usage is normal.</P> <P>&nbsp;</P> <P>What I found that happens is that there are many port scans happening at that time and it repeatedly exceeds the port scan limit.&nbsp; It seems that the ASA see it and is doing its job, but it happens so much that I think the ASA is getting overburdened by responding to continuous scans from so many sources that it is requiring most of the resources it has.&nbsp; So effectively, their "internet is down".</P> <P>&nbsp;</P> <P>I'm trying to find out if there is something extra I need to put into place.&nbsp; Maybe the basic security is not configured properly or I need to adjust rules.&nbsp; Perhaps add something new.&nbsp; I do not have Firepower or anything extra in play here.&nbsp; This is a Cisco ASA 5512-X running software version 9.6(1)</P> <P>&nbsp;</P> <P>Mike</P> Fri, 21 Feb 2020 15:45:27 GMT mvelatln 2020-02-21T15:45:27Z https://community.cisco.com/t5/network-security/port-scans-attacks-on-cisco-asa-slowing-down-internet/m-p/3381803#M958640 <P>Hello,</P> <P>I cannot seem to find a topic for this and perhaps I'm using the wrong searches; so I'm apologizing ahead of time if this is somehow a duplicate discussion.</P> <P>&nbsp;</P> <P>I support a location that has Cisco ASA in place and periodically their internet bandwidth drops tremendously, to the point that the internet is not usable.&nbsp; I monitor their router speeds for traffic in and out and during these times bandwidth usage is normal.</P> <P>&nbsp;</P> <P>What I found that happens is that there are many port scans happening at that time and it repeatedly exceeds the port scan limit.&nbsp; It seems that the ASA see it and is doing its job, but it happens so much that I think the ASA is getting overburdened by responding to continuous scans from so many sources that it is requiring most of the resources it has.&nbsp; So effectively, their "internet is down".</P> <P>&nbsp;</P> <P>I'm trying to find out if there is something extra I need to put into place.&nbsp; Maybe the basic security is not configured properly or I need to adjust rules.&nbsp; Perhaps add something new.&nbsp; I do not have Firepower or anything extra in play here.&nbsp; This is a Cisco ASA 5512-X running software version 9.6(1)</P> <P>&nbsp;</P> <P>Mike</P> Fri, 21 Feb 2020 15:45:27 GMT https://community.cisco.com/t5/network-security/port-scans-attacks-on-cisco-asa-slowing-down-internet/m-p/3381803#M958640 mvelatln 2020-02-21T15:45:27Z https://community.cisco.com/t5/network-security/port-scans-attacks-on-cisco-asa-slowing-down-internet/m-p/3381850#M958641 What tool/method did you use to see the traffic scan? <BR />Can you be more specific about the type of attack? How much time is this usually taking?<BR />What's the average no of connections, respectively what do you see during the attack?<BR /><BR />What I would do right of the bat: call/contact ISP and tell him about your issue. Maybe they're willing to help and mitigate the attack (if the case), without you adding extra security devices.<BR /><BR />Otherwise you'll have to bring reinforcements.<BR /> Fri, 11 May 2018 14:02:15 GMT https://community.cisco.com/t5/network-security/port-scans-attacks-on-cisco-asa-slowing-down-internet/m-p/3381850#M958641 Florin Barhala 2018-05-11T14:02:15Z https://community.cisco.com/t5/network-security/port-scans-attacks-on-cisco-asa-slowing-down-internet/m-p/3381908#M958642 <P>Thank you for the questions.</P> <P><BR />As a side bar to the current location at hand we did have a location get hit daily around roughly the same time for the same amount of time.&nbsp; During that time frame the internet was nearly unusable.</P> <P>&nbsp;</P> <P>I did also connect with the ISP and they really didn't suggest anything ground breaking because it wasn't a bandwidth or DDoS issue.</P> <P>&nbsp;</P> <P>The scans showed up in the Cisco log when set to "Warnings".&nbsp; There were over 700 unique IP addresses doing port scans on their ASA.&nbsp; From what I know the basic scan limit is there and it drops them but it still hits the box and has to respond to the repeated requests from those IP addresses.</P> <P>&nbsp;</P> <P>Without putting something on another device down the line towards the ISP I'm not sure what to do in terms of the ASA.</P> <P>&nbsp;</P> <DIV>My log line for the scans look like this:</DIV> <DIV>[ Scanning] drop rate-1 exceeded. Current burst rate is 1 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4627</DIV> <DIV>&nbsp;</DIV> <DIV>Thanks,</DIV> <P>Mike</P> Fri, 11 May 2018 15:18:32 GMT https://community.cisco.com/t5/network-security/port-scans-attacks-on-cisco-asa-slowing-down-internet/m-p/3381908#M958642 mvelatln 2018-05-11T15:18:32Z