Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
746
Views
0
Helpful
1
Replies

USers could not access Web Pages

jeggleston
Level 1
Level 1

‎09-23-2013 09:42 AM - edited ‎03-11-2019 07:42 PM

Last Night my users were unable to surf the web, other services, such as email and FTP were available.  I eventually noticed numerous "Shunned Packet" warnings when examining the ASA_5520 Syslog for the time period in question.

For example:

2013-09-22 20:28:47          Local7.Warning          asa-1          Sep 22 2013 20:28:47: %ASA-4-401004: Shunned packet:  x.x.20.27 ==> 75.75.75.75 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.26 ==> 75.75.75.75 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.26 ==> 75.75.75.75 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.27 ==> 75.75.75.75 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.27 ==> 75.75.76.76 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.27 ==> 75.75.75.75 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.26 ==> 24.143.246.29 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.26 ==> 24.143.246.29 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.26 ==> 24.143.246.29 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.26 ==> 205.152.144.23 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.26 ==> 205.152.144.23 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.26 ==> 205.152.144.23 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.26 ==> 205.152.144.23 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.26 ==> 205.152.144.23 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.26 ==> 205.152.144.23 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.26 ==> 75.75.75.75 on interface inside

2013-09-22 20:28:48          Local7.Warning          asa-1          Sep 22 2013 20:28:48: %ASA-4-401004: Shunned packet:  x.x.20.27 ==> 75.75.75.75 on interface inside

The 20.26 and 20.27 IP's are my Private DNS Servers, so I am suspecting I was having some kind of DNS attack. I eventually rebooted both of these servers and my problems went away. 

I guess my question is, what else can I look for that will help me determine if this was some kind of denial of service attack? And, if it was an attack, how do I prevent this in the future and what is the best way to recover?

- Jeff

Labels:
0 Helpful
1 Reply 1

Luis Silva Benavides
Cisco Employee
Cisco Employee

‎09-25-2013 01:01 PM

Hi,

The Thread-detection feature noticed that the your DNS servers sending an abnornal amount of traffic (or at least something that exceded the default parameters.)

The problem here was that when your internal PCs tried to resolve a website they query the internal DNS server but it was unable to access the internet because it was shunned.

Make sure your PC/Servers are not infected by any kind of Virus/Botnet. End-point protection is very important in this cases.

As you can see the ASA is doing its job . BTF (Botnet traffic filter) will be a good feature to have.

HTH

Luis Silva

"If you need PDI (Planning, Design, Implement) assistance feel free to reach us"

http://www.cisco.com/web/partners/tools/pdihd.html

Luis Silva
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card