ASA5510 doesn't shun host from outside interface

jgonzalez79 · ‎09-14-2011

Hi,

I've been trying to configure the threat-detection scanning-threat shun feature on my ASA5510 running 8.4(2) for some days now. From searching the support community I can see that I'm not the only one having a problem with this feature. The problem I'm having is that after configuring scanning-threat shun, no outside attacking hosts are being shunned. I'm using nmap to simulate a scanning attack.

Here is my threat-detection config:

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics host

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

I'm using the default settings:

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

When I initiate a scan attack from an outside host I get this in the logs, but a show threat-detection shun shows nothing:

<162>%ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 50 per second, max configured rate is 10; Current average rate is 2 per second, max configured rate is 5; Cumulative total count is 1713

<162>%ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 8; Current average rate is 3 per second, max configured rate is 4; Cumulative total count is 13206

Now, so far this is the strange behavior which others have reported. Then I noticed that some of my internal IPs were being shunned while I was testing. So on a hunch I initiated a scan attack from inside my network to an outside host. Immediately the logs showed the expected behavior and my attacking device was shunned!

Logs:

<162>%ASA-4-733100: [ 71.49.0.78] drop rate-1 exceeded. Current burst rate is 23 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 967

<162>%ASA-4-733101: Host 71.49.0.78 is targeted. Current burst rate is 23 per second, max configured rate is 10; Current average rate is 0 per second, max configured rate is 5; Cumulative total count is 967

<162>%ASA-4-733100: [ 10.20.3.173] drop rate-1 exceeded. Current burst rate is 47 per second, max configured rate is 10; Current average rate is 1 per second, max configured rate is 5; Cumulative total count is 1935

<162>%ASA-4-733102: Threat-detection adds host 10.20.3.173 to shun list

ASA5510 scanning-threat show commands:

Shunned Host List:

src-ip=10.20.3.173 255.255.255.255

Latest Target Host & Subnet List:

71.49.29.78

Latest Attacker Host & Subnet List:

10.20.3.173

Is this the expected behavior of scanning-threat shun? If so this feature is of very little use to me as blocking my inside LAN is not my goal. I'm trying to protect my LAN from Internet attack. I can add the except command and exempt my LAN, but this still doesn't fix the problem of outside hosts not being shunned.

Thanks

Joel Gonzalez

mirober2 · ‎09-17-2011

Hi Joel,

When you were doing your nmap scan from the outside, what was your target? The scan needs to be targeted at an internal host or subnet and the traffic must be initially allowed by the ASA. To-the-box traffic is not detected by threat-detection and if the ASA is dropping the scan for any other reason (ACLs, conn limits, etc.), the scanning threat won't kick in.

Hope that helps.

-Mike

jgonzalez79 · ‎09-20-2011

Hi Mike,

Ok, this makes sense. I was scanning the public IP address of the box. I'll redo the scan trying to target something inside and see what happens.

Thank you for your reply.

Joel