10-15-2014 07:22 AM - edited 03-11-2019 09:56 PM
I have read a few posts regarding shunning already. I just don't feel like the ASA is shunning as much as I'd like it to. In fact - it doesn't ever seem to shun anything unless I manually add it.
Running 8.3(2)13
My config looks like this:
Result of the command: "show run | include threat"
threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45
no threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address x.x.x.x x.x.x.x
threat-detection scanning-threat shun except ip-address x.x.x.x x.x.x.x
threat-detection scanning-threat shun duration 18000
threat-detection statistics host
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
I am just looking for feedback or tips on what I should do to improve on this and begin to actually shun scans, etc. What are others seeing and what do those configs look like?
Thanks.
Solved! Go to Solution.
10-17-2014 06:11 AM
Hi,
You have to understand that these values are actually the rate at which packets are dropped/denied on the ASA device due to policy check failures.
It will be different for every other network depending on the traffic passing through and different access/deny policies.
You can lower the values of these counters and check for which value you are seeing the correct SHUN behavior. This has to be done on hit and trial basis.
Thanks and Regards,
Vibhor Amrodia
10-15-2014 10:40 PM
Hi,
You can actually fine tune the statistics on the ASA device.
You can check the default values using this command:-
show run all threat-detection
This would show you all the default counters values on the ASA device which ASA would use for shunning the IP on the ASA device.
Thanks and Regards,
Vibhor Amrodia
10-16-2014 07:02 AM
ok perfect. That gives me this (I edited since previous post):
show run all threat-detection
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address x.x.x.x x.x.x.x
threat-detection scanning-threat shun except ip-address x.x.x.x x.x.x.x
threat-detection scanning-threat shun duration 18000
threat-detection statistics host number-of-rate 1
threat-detection statistics port number-of-rate 2
threat-detection statistics protocol number-of-rate 2
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
But I am wondering if these thresholds should/could be lower? I see scanning in the logs that I would like to see shunned. I know the firewall is working and blocking where appropriate, but I would like to shun these malicious IP address.
10-17-2014 03:41 AM
Hi,
Yes , these values can be modified on the ASA device. The value depends on your requirement and your setup.
Thanks and Regards,
Vibhor Amrodia
10-17-2014 05:58 AM
Yes, that is what I am seeking help on. I am looking for suggestions/tips on what to change these values to as these defaults are not effective enough. Nothing is ever shunned unless I manually add an IP to shun.
10-17-2014 06:11 AM
Hi,
You have to understand that these values are actually the rate at which packets are dropped/denied on the ASA device due to policy check failures.
It will be different for every other network depending on the traffic passing through and different access/deny policies.
You can lower the values of these counters and check for which value you are seeing the correct SHUN behavior. This has to be done on hit and trial basis.
Thanks and Regards,
Vibhor Amrodia
10-17-2014 06:22 AM
Ok, I can accept that. I was hoping for a working example but I see that may be useless to me anyway.
Thanks for your help Vibhor, it is much appreciated!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide