Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
2
Replies

Port scans (attacks?) on Cisco ASA slowing down internet

mvelatln
Level 1
Level 1

‎05-11-2018 06:01 AM - edited ‎02-21-2020 07:45 AM

Hello,

I cannot seem to find a topic for this and perhaps I'm using the wrong searches; so I'm apologizing ahead of time if this is somehow a duplicate discussion.

 

I support a location that has Cisco ASA in place and periodically their internet bandwidth drops tremendously, to the point that the internet is not usable.  I monitor their router speeds for traffic in and out and during these times bandwidth usage is normal.

 

What I found that happens is that there are many port scans happening at that time and it repeatedly exceeds the port scan limit.  It seems that the ASA see it and is doing its job, but it happens so much that I think the ASA is getting overburdened by responding to continuous scans from so many sources that it is requiring most of the resources it has.  So effectively, their "internet is down".

 

I'm trying to find out if there is something extra I need to put into place.  Maybe the basic security is not configured properly or I need to adjust rules.  Perhaps add something new.  I do not have Firepower or anything extra in play here.  This is a Cisco ASA 5512-X running software version 9.6(1)

 

Mike

Labels:
0 Helpful
2 Replies 2

Florin Barhala
Level 6
Level 6

‎05-11-2018 07:02 AM

What tool/method did you use to see the traffic scan?
Can you be more specific about the type of attack? How much time is this usually taking?
What's the average no of connections, respectively what do you see during the attack?

What I would do right of the bat: call/contact ISP and tell him about your issue. Maybe they're willing to help and mitigate the attack (if the case), without you adding extra security devices.

Otherwise you'll have to bring reinforcements.
0 Helpful

mvelatln
Level 1
Level 1
In response to Florin Barhala

‎05-11-2018 08:18 AM

Thank you for the questions.


As a side bar to the current location at hand we did have a location get hit daily around roughly the same time for the same amount of time.  During that time frame the internet was nearly unusable.

 

I did also connect with the ISP and they really didn't suggest anything ground breaking because it wasn't a bandwidth or DDoS issue.

 

The scans showed up in the Cisco log when set to "Warnings".  There were over 700 unique IP addresses doing port scans on their ASA.  From what I know the basic scan limit is there and it drops them but it still hits the box and has to respond to the repeated requests from those IP addresses.

 

Without putting something on another device down the line towards the ISP I'm not sure what to do in terms of the ASA.

 

My log line for the scans look like this:
[ Scanning] drop rate-1 exceeded. Current burst rate is 1 per second, max configured rate is 10; Current average rate is 7 per second, max configured rate is 5; Cumulative total count is 4627
 
Thanks,

Mike

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card