Ask the Expert: Mitigating Network Attacks - Page 2

ciscomoderator · ‎06-01-2012

With Kureli Sankar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco expert Kureli Sankar how to identify and mitigate network attacks.

Kureli Sankar is an engineer supporting Cisco's firewall team in Research Triangle Park, North Carolina. Her team supports the Cisco Adaptive Security Appliance, Firewall Services Module, Cisco Security Manager, the Content Security and Control module, and the Zone Based Firewall module in Cisco IOS Software. Prior to joining Cisco, Sankar worked for the John Morrell Co., where she was the network administrator in charge of the company's enterprise network covering 27 locations in the United States. She also was an adjunct professor at the University of Cincinnati, teaching undergraduate level networking courses. Sankar holds an engineering degree in electrical and electronic engineering from Regional Engineering College, Trichirappalli, India, and holds CCSP and CCIE Security #35505 certifications.

Remember to use the rating system to let Kureli know if you have received an adequate response.

Kureli might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event. This event lasts through June 15, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

emilio1973 · ‎06-15-2012

Hi Kureli,

on my ASA, I can see this output:

ASA5520# sh threat-detection rate scanning-threat
                          Average(eps)    Current(eps) Trigger      Total events
10-min Scanning:                  1               3      90               964
1-hour Scanning:                  1               1      21              5303

but with this, I can't see anything:

ASA5520# sh threat-detection scanning-threat target
Latest Target Host & Subnet List:
ASA5520#

ASA5520# sh threat-detection scanning-threat attacker
Latest Attacker Host & Subnet List:

How I can see the address of attackers?

Thanks

siddhartham · ‎06-15-2012

Its the same thing for my case also, I don't see anything with sh threat-detection scanning-threat attacker command but we are getting around 10 syslog messages every min saying the thresholds are exceeded

ASA/pri/act# sh threat-detection rate scanning-threat

Average(eps) Current(eps) Trigger Total events

10-min Scanning: 3 3 22170 2323

1-hour Scanning: 3 4 5362 12814

ASA/pri/act# sh threat-detection scanning-threat attacker

ASA/pri/act#

Siddhartha

Kureli Sankar · ‎06-15-2012

The command is "show threat-detection scanning-threat"

not "show threat-detection rate scanning-threat"

You can also try the following:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/protect_threat.html

hostname# show threat-detection statistics host

                          Average(eps)    Current(eps) Trigger         Total events

Host:10.0.0.1: tot-ses:289235 act-ses:22571 fw-drop:0 insp-drop:0 null-ses:21438 bad-acc:0

1-hour Sent byte: 2938 0 0 10580308

hour Sent byte: 367 0 0 10580308

 24-hour Sent byte:                122          0       0      10580308

-Kureli

siddhartham · ‎06-15-2012

Yes I tried "show threat-detection scanning-threat" but it didn't produce any output

ASA/pri/act# show threat-detection scanning-threat

ASA/pri/act#

Siddhartha

Kureli Sankar · ‎06-15-2012

Siddhartham,

Today is the last day of this ATE event. I am not sure if I can get to the bottom of this. Would you mind opening a TAC case so, we can take a look at it. Feel free to mention my name on the case.

Pls. copy and paste the "sh run threat" output from the ASA.

May be there aren't any scanning threats at the moment. If the rate exceeded syslog is seen then, you probably have to tweek the settings and increase

Issue "show run all threat-detection".
The number of triggers of different thresholds can be checked in "show
threat-detection rate".

Syslog 733100 is related to scanning-rate, adjusting this parameter should be
able to resolve too many messages showing up in the syslogs.

In this case, tuning the command "threat-detection rate scanning-rate 3600
average-rate 15" stopped too many of these messages being logged. In other
cases one may have to increase the scanning-rate and average-rate to a higher
value.

-Kureli

siddhartham · ‎06-15-2012

Thanks Kureli, will open a TAC case.

Siddhartha

mohamednselim · ‎06-18-2012

Dear Kureli Sankar,

i have a problem, i dont know if that could be an attack or a real problem i need to make something on the fwsm im not sure.

all my user vlans are on the core it self , but the servers vlans are on the fwsm, when 2 servers are in the same vlan they can work perfectly , but there is a delay and sometimes packet drops when a server on vlan try to communicate with other server in other vlan,

my access lists is permit ip any any so all the tracffic sould pass normally between them ,

for example when im on a server in vlan 100 and remote desktop on other server in the same vlan it took less than a sec and im on the other server.

but when a server on vlan 100 remote desktop on server on vlan 99 it may took up tp 30 sec or so to connect and also when the 2 servers in differ vlans try to gett data from eachother sometimes it took time sometimes it gives error as it cant be reached and will try to connect again.

pinging is working fine no problem.

fwsm is router not trasparent.

Servers are microsoft mail server and domain controller server.

If i make it transparent will it solve this problem ?

and if i issue the command firewall transparent should i need a downtime , or everything will work normally ??

Im not good with Security so help and if you need any more info let me know.

Thanks.

Kureli Sankar · ‎06-18-2012

Mohamed,

Not sure if transparent mode is going to resolve the issue. You still need the same Route and Permission along with optional translation for any flow to work.

We need to look at captures working in the same vlan and delay when separated by the firewall and determin what might be causing the problem.

In the past, with windows file copy and drive mapping issues, we have run into the following:

The problem is that Windows will not allow multiple smb connections on port 445. Subsequent connections will cause the existing connection to be reset.

This behavior is described by Microsoft Article KB301673.

http://support.microsoft.com/kb/301673

Two solutions:

1) Modify the registry on the server per KB301673 to use only port 139 and reboot the server.

2) Block port 445 by ACL on the firewall so that it will be forced to default back to 139.

Give this a shot and let me know if this resolves the issue. Otherwise please open a TAC case as we need to grab captures and analyze them.

-Kureli

mohamednselim · ‎06-18-2012

Dear Kureli Sankar,

The fix is only available for Microsoft Server 2008, mine is 2010 it didnt work with it.

im out of ideas i eve make the access-list all open ip,tcp,upd any any for all vlans as a test for now so i can check if there is any thing will drop or not , and all the security interfaces are the same and i have same security permit intra and inter for the vlan interfaces

the core is fine , i just dont know what to do any more, do you think it could be Microsoft Problem not Cisco side ?

here is my Thread link you can contiue trobleshooting with me in the thread if this Thread will be closed.

https://supportforums.cisco.com/thread/2154093

Thanks and Bests Regards

Mohamed Selim.

philips_006 · ‎12-13-2012

I have a small doubt about telnet, am not sure if this is the right forum to post this query.

I wanted to know if we can use telnet on a non standard port, lets say 6189. I wanted to configure this on a cisco router. May I know the commands to do this

I have used PAT and port-map to do this.

Is there any other way to achieve this?

Plz help. Thanks in advance.......

rimifrank · ‎04-23-2013

Dear Kureli,

I wish to integrate to Microsoft Windows 2008 AD. Apparently i am having trouble achieving this due to the error below;

ECSIntFw01# test aaa-server authentication AD1 username fraxxx password$ xxxx

Server IP Address or name: 10.3.1.10

INFO: Attempting Authentication test to IP address <10.3.1.10> (timeout: 12 seconds)

ERROR: Authentication Server not responding: AAA Server has been removed

My aim is in setting up Identity Options that would either help to allow/restrict permission based on users and/or groups that exist in the Active Directory Domain.

Kindly assist.

Frank