ASA shun hosts and QoS

jmprats · ‎04-30-2012

Hi, I'm having trouble configuring Threat-detection and QoS polices at the same time.

The problem is that if I have QoS rules enabled, this is policing a traffic defined by ACLs, I can't enable at the same time the threat-detection feature "Shun hosts detected by scanning threat" because it shuns the hosts on which there is applying the policing.

I suppose this is because the policing is based in hits on ACL's so the ASA thinks this is an attack.

So, how can I resolve this? How can I have policing and shunnig enabled at the same time?

Thanks

Maykol Rojas · ‎05-02-2012

Hi,

Weird stuff, one feature doesnt necessarily has to do anything with the Other. Scannig threat what is does is to take statistics of a host in specific and determine if it is sweeping the network or trying to find out if there is a host checking which ports/networks are available. You have to check what is the factor that is causing the shun to be tiggered. There are a lot of thresholds on scanning theat detection that you will need to modify if it is causing an issue.

By the thresholds I mean the following table:

Packet Drop Reason	Trigger Settings
Packet Drop Reason	Average Rate	Burst Rate
•DoS attack detected •Bad packet format •Connection limits exceeded •Suspicious ICMP packets detected	100 drops/sec over the last 600 seconds.	400 drops/sec over the last 20 second period.
	80 drops/sec over the last 3600 seconds.	320 drops/sec over the last 120 second period.
Scanning attack detected	5 drops/sec over the last 600 seconds.	10 drops/sec over the last 20 second period.
Scanning attack detected	4 drops/sec over the last 3600 seconds.	8 drops/sec over the last 120 second period.
Incomplete session detected such as TCP SYN attack detected or no data UDP session attack detected (combined)	100 drops/sec over the last 600 seconds.	200 drops/sec over the last 20 second period.
	80 drops/sec over the last 3600 seconds.	160 drops/sec over the last 120 second period.
Denial by access lists	400 drops/sec over the last 600 seconds.	800 drops/sec over the last 20 second period.
Denial by access lists	320 drops/sec over the last 3600 seconds.	640 drops/sec over the last 120 second period.
•Basic firewall checks failed •Packets failed application inspection	400 drops/sec over the last 600 seconds.	1600 drops/sec over the last 20 second period.
	320 drops/sec over the last 3600 seconds.	1280 drops/sec over the last 120 second period.
Interface overload	2000 drops/sec over the last 600 seconds.	8000 drops/sec over the last 20 second period.
Interface overload	1600 drops/sec over the last 3600 seconds.	6400 drops/sec over the last 120 second period.

As you can see on the following document:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/conns_threat.html#wp1072953

Scanning threat is based on the threat detection statistics. So you will need to modify those in order to avoid the host to be shunned.

That being said, I think if you only enable threat detection alone, it would probably to the same thing as if it was configured in conjunction with QoS.

Bottom line (and sorry for all the info), modify the threat detection rate values and you should be ok.

Mike